SIXTH EDITION 


ELEMENTARY 


NUMBER TH 


EORY 


F 4 
Li 7 =% r 
ail — =, fa 
> aes, 
( fp - * 
. - i 
i yy rai 


att frase 


= e 
P a ; e 
ay ar Vy Te 
os rT. & r au TS} gee tev oa 


x) 
ae . 


S its applications 
KENNETH H. Rosen 


Editor-in-Chief: Deirdre Lynch 

Senior Acquisitions Editor: William Hoffman 

Associate Editor: Caroline Celano 

Marketing Manager: Jeff Weidenaar 

Marketing Assistant: Kendra Bassi 

Senior Managing Editor: Karen Wernholm 

Production Project Manager: Beth Houston 

Project Manager: Paul C. Anagnostopoulos 

Composition and Illustration: Windfall Software, using ZzTpX 

Manufacturing Manager: Evelyn Beaton 

Photo Research: Maureen Raymond 

Senior Cover Designer: Beth Paquin 

Cover Design: Nancy Goulet, Studio;wink 

Cover Image: Gray Numbers, 1958 (collage) © Jasper Johns (b. 1930) / Private 
Collection / Licensed by VAGA, New York, N.Y. 


Photo Credits: Grateful acknowledgment is made to the copyright holders of the 
biographical photos, listed on page 752, whichis hereby made part of this copyright page. 


Many of the designations used by manufacturers and sellers to distinguish their products 
are claimed as trademarks. Where those designations appear in this book, and Addison- 
Wesley was aware of a trademark claim, the designations have been printed in initial 
caps or all caps. 


Library of Congress Cataloging-in-Publication Data 


Rosen, Kenneth H. 
Elementary number theory and its applications / Kenneth H. Rosen. — 6th ed. 
. em. 
Includes bibliographical references and index. 
ISBN-13: 978-0-321-50031-1 (alk. paper) 
ISBN-10: 0-321-50031-8 (alk. paper) 
1. Number theory—Textbooks. _ I. Title. 
QA241.R67 2011 
512.7/2—dc22 2010002572 


Copyright © 2011, 2005, 2000 by Kenneth H. Rosen. All rights reserved. No part 
of this publication may be reproduced, stored in a retrieval system, or transmitted, 

in any form or by any means, electronic, mechanical, photocopying, recording, or 
otherwise, without the prior written permission of the publisher. Printed in the United 
States of America. For information on obtaining permission for use of material in this 
work, please submit a written request to Pearson Education, Inc., Rights and Contracts 
Department, 500 Boylston Street, Suite 900, Boston, MA 02116, fax your request to 
(617) 848-7047, or e-mail at http://www.pearsoned.com/legal/permissions.htm. 


12345678 9 10—CW—14 13 12 11 10 


Addison-Wesley 
is an imprint of 


PEARSON ISBN 10: 0-321-50031-8 
a . 
www.pearsonhighered.com ISBN 13: 978-0-321-50031-1 


Preface 


My goal in writing this text has been to write an accessible and inviting introduction to 
number theory. Foremost, I wanted to create an effective tool for teaching and learning. 
I hoped to capture the richness and beauty of the subject and its unexpected usefulness. 
Number theory is both classical and modern, and, at the same time, both pure and applied. 
In this text, I have strived to capture these contrasting aspects of number theory. I have 
worked hard to integrate these aspects into one cohesive text. 


This book is ideal for an undergraduate number theory course at any level. No formal 
prerequisites beyond college algebra are needed for most of the material, other than 
some level of mathematical maturity. This book is also designed to be a source book 
for elementary number theory; it can serve as a useful supplement for computer science 
courses and as a primer for those interested in new developments in number theory and 
cryptography. Because it is comprehensive, it is designed to serve both as a textbook and 
as a lifetime reference for elementary number theory and its wide-ranging applications. 


This edition celebrates the silver anniversary of this book. Over the past 25 years, 
close to 100,000 students worldwide have studied number theory from previous editions. 
Each successive edition of this book has benefited from feedback and suggestions from 
many instructors, students, and reviewers. This new edition follows the same basic 
approach as all previous editions, but with many improvements and enhancements. I 
invite instructors unfamiliar with this book, or who have not looked at a recent edition, 
to carefully examine the sixth edition. I have confidence that you will appreciate the rich 
exercise sets, the fascinating biographical and historical notes, the up-to-date coverage, 
careful and rigorous proofs, the many helpful examples, the rich applications, the support 
for computational engines such as Maple and Mathematica, and the many resources 
available on the Web. 


Changes in the Sixth Edition 


The changes in the sixth edition have been designed to make the book easier to teach and 
learn from, more interesting and inviting, and as up-to-date as possible. Many of these 
changes were suggested by users and reviewers of the fifth edition. The following list 
highlights some of the more important changes in this edition. 
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e New discoveries 


This edition tracks recent discoveries of both a numerical and a theoretical nature. Among 
the new computational discoveries reflected in the sixth edition are four Mersenne primes 
and the latest evidence supporting many open conjectures. The Tao-Green theorem 
proving the existence of arbitrarily long arithmetic progressions of primes is one of the 
recent theoretical discoveries described in this edition. 


¢ Biographies and historical notes 


Biographies of Terence Tao, Etienne Bezout, Norman MacLeod Ferrers, Clifford Cocks, 
and Wactaw Sierpiriski supplement the already extensive collection of biographies in the 
book. Surprising information about secret British cryptographic discoveries predating 
the work of Rivest, Shamir, and Adleman has been added. 


¢ Conjectures 


The treatment of conjectures throughout elementary number theory has been expanded, 
particularly those about prime numbers and diophantine equations. Both resolved and 
open conjectures are addressed. 


¢ Combinatorial number theory 


A new section of the book covers partitions, a fascinating and accessible topic in 
combinatorial number theory. This new section introduces such important topics as 
Ferrers diagrams, partition identies, and Ramanujan’s work on congruences. In this 
section, partition identities, including Euler’s important results, are proved using both 
generating functions and bijections. 


¢ Congruent numbers and elliptic curves 


A new section is devoted to the famous congruent number problem, which asks which 
positive integers are the area of a right triangle with rational side lengths. This section 
contains a brief introduction to elliptic curves and relates the congruent number problem 
to finding rational points on certain elliptic curves. Also, this section relates the congruent 
number problem to arithmetic progressions of three squares. 


¢ Geometric reasoning 


This edition introduces the use of geometric reasoning in the study of diophantine 
problems. In particular, new material shows that finding rational points on the unit circle 
is equivalent to finding Pythgaorean triples, and that finding rational triangles with a 
given integer as area is equivalent to finding rational points on an associated elliptic 
curve. 


¢ Cryptography 

This edition eliminates the unnecessary restriction that when the RSA cryptosystem is 
used to encrypt a plaintext message this message needs to be relatively prime to the 
modulus in the key. 
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¢ Greatest common divisors 


Greatest common divisors are now defined in the first chapter, as is what it means for 
two integers to be relatively prime. The term Bezout coefficients is now introduced and 
used in the book. 


e Jacobi symbols 


More motivation is provided for the usefulness of Jacobi symbols. In particular, an 
expanded discussion on the usefulness of the Jacobi symbol in evaluating Legendre 
symbols is now provided. 


e Enhanced exercise sets 


Extensive work has been done to improve exercise sets even farther. Several hundred 
new exercises, ranging from routine to challenging, have been added. Moreover, new 
computational and exploratory exercises can be found in this new edition. 


e Accurancy 


More attention than ever before has been paid to ensuring the accuracy of this edition. 
Two independent accuracy checkers have examined the entire text and the answers to 
exercises. 


e Web Site, www.pearsonhighered.com/rosen 


The Web site for this edition has been considerably expanded. Students and instructors 
will find many new resources they can use in conjunction with the book. Among the new 
features are an expanded collection of applets, a manual for using comptutional engines 
to explore number theory, and a Web page devoted to number theory news. 


Exercise Sets 


Because exercises are so important, a large percentage of my writing and revision work 
has been devoted to the exercise sets. Students should keep in mind that the best way to 
learn mathematics is to work as many exercises as possible. I will briefly describe the 
types of exercises found in this book and where to find answers and solutions. 


e Standard Exercises 


Many routine exercises are included to develop basic skills, with care taken so that 
both odd-numbered and even-numbered exercises of this type are included. A large 
number of intermediate-level exercises help students put several concepts together to 
form new results. Many other exercises and blocks of exercises are designed to develop 
new concepts. 


¢ Exercise Legend 


Challenging exercises are in ample supply and are marked with one star (*) indicating a 
difficult exercise and two stars (* *) indicating an extremely difficult exercise. There are 
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some exercises that contain results used later in the text; these are marked with a arrow 
symbol (>). These exercises should be assigned by instructors whenever possible. 


e Exercise Answers 


The answers to all odd-numbered exercises are provided at the end of the text. More 
complete solutions to these exercises can be found in the Student’s Solutions Manual that 
can be found on the Web site for this book. All solutions have been carefully checked 
and rechecked to ensure accuracy. 


¢ Computational Exercises 


Each section includes computations and explorations designed to be done with a com- 
putational program, such as Maple, Mathematica, PARYV/GP, or Sage, or using programs 
written by instructors and/or students. There are routine computational exercises students 
can do to learn how to apply basic commands (as described in Appendix D for Maple and 
Mathematica and on the Web site for PARI/GP and Sage), as well as more open-ended 
questions designed for experimentation and creativity. Each section also includes a set of 
programming projects designed to be done by students using a programming language 
or the computational program of their choice. The Student’s Manual to Computations 
and Explorations on the Web site provides answers, hints, and guidance that will help 
students use computational tools to attack these exercises. 


Web Site 


Students and instructors will find a comprehensive collection of resources on this 
book’s Web site. Students (as well as instructors) can find a wide range of resources at 
www.pearsonhighered.com/rosen. Resources intended for only instructor use can be ac- 
cessed at www.pearsonhighered.com/irc; instructors can obtain their password for these 
resources from Pearson. 


e External Links 


The Web site for this book contains a guide providing annotated links to many Web sites 
relevant to number theory. These sites are keyed to the page in the book where relevant 
material is discussed. These locations are marked in the book with the icon (_). For 
convenience, a list of the most important Web sites related to number theory is provided 
in Appendix D. 


¢ Number Theory News 


The Web site also contains a section highlighting the latest discoveries in number theory. 


¢ Student’s Solutions Manual 


Worked-out solutions to all the odd-numbered exercises in the text and sample exams 
can be found in the online Student’s Solution Manual. 
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¢ Student’s Manual for Computations and Explorations 


A manual providing resources supporting the computations and explorations can be 
found on the Web site for this book. This manual provides worked-out solutions or partial 
solutions to many of these computational and exploratory exercises, as well as hints and 
guidance for attacking others. This manual will support, to varying degrees, different 
comptutional environments, including Maple, Mathematica, and PARI/GP. 


e Applets 


An extensive collection of applets are provided on the Web site. These applets can be used 
by students for some common computations in number theory and to help understand 
concepts and explore conjectures. Besides algorithms for comptutions in number theory, 
a collection of cryptographic applets is also provided. These include applets for encyrp- 
tion, decryption, cryptanalysis, and cryptographic protocols, adderssing both classical 
ciphers and the RSA cryptosystem. These cryptographic applets can be used for individ- 
ual, group, and classroom activities. 


¢ Suggested Projects 


A useful collection of suggested projects can also be found on the Web site for this book. 
These projects can serve as final projects for students and for groups of students. 


e Instructor’s Manual 


Worked solutions to all exercises in the text, including the even-numbered execises, 
and a variety of other resources can be found on the Web site for instructors (which 
is not available to students). Among these other resources are sample syllabi, advice on 
planning which sections to cover, and a test bank. 


How to Design a Course Using this Book 


This book can serve as the text for elementary number theory courses with many different 
slants and at many different levels. Consequently, instructors will have a great deal of 
flexibility designing their syllabi with this text. Most instructors will want to cover the 
core material in Chapter 1 (as needed), Section 2.1 (as needed), Chapter 3, Sections 
4.14.3, Chapter 6, Sections 7.1—7.3, and Sections 9.1—9.2. 


To fill out their syllabi, instructors can add material on topics of interest. Generally, 
topics can be broadly classified as pure versus applied. Pure topics include Mobius 
inversion (Section 7.4), integer partitions (Section 7.5), primitive roots (Chapter 9), 
continued fractions (Chapter 12), diophantine equations (Chapter 13), and Guassian 
integers (Chapter 14). 


Some instructors will want to cover accessible applications such as divisibility tests, 
the perpetual calendar, and check digits (Chapter 5). Those instructors who want to stress 
computer applications and cryptography should cover Chapter 2 and Chapter 8. They 
may also want to include Sections 9.3 and 9.4, Chapter 10, and Section 11.5. 
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After deciding which topics to cover, instructors may wish to consult the following 
figure displaying the dependency of chapters: 


5 6 13 14 


Although Chapter 2 may be omitted if desired, it does explain the big-O notation 
used throughout the text to describe the complexity of algorithms. Chapter 12 depends 
only on Chapter 1, as shown, except for Theorem 12.4, which depends on material 
from Chapter 9. Section 13.4 is the only part of Chapter 13 that depends on Chapter 
12. Chapter 11 can be studied without covering Chapter 9 if the optional comments 
involving primitive roots in Section 9.1 are omitted. Section 14.3 should also be covered 
in conjunction with Section 13.3. 


For further assistance, instructors can consult the suggested syllabi for courses with 
different emphases provided in the Instructor’s Resource Guide on the Web site. 
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What Is Number Theory? 


here is a buzz about number theory: Thousands of people work on communal number 

theory problems over the Internet . . . the solution of a famous problem in number 
theory is reported on the PBS television series NOVA . . . people study number theory 
to understand systems for making messages secret . . . What is this subject, and why are 
so many people interested in it today? 


Number theory is the branch of mathematics that studies the properties of, and the 
relationships between, particular types of numbers. Of the sets of numbers studied in 
number theory, the most important is the set of positive integers. More specifically, 
the primes, those positive integers with no positive proper factors other than 1, are 
of special importance. A key result of number theory shows that the primes are the 
multiplicative building blocks of the positive integers. This result, called the fundamental 
theorem of arithmetic, tells us that every positive integer can be uniquely written as 
the product of primes in nondecreasing order. Interest in prime numbers goes back 
at least 2500 years, to the studies of ancient Greek mathematicians. Perhaps the first 
question about primes that comes to mind is whether there are infinitely many. In The 
Elements, the ancient Greek mathematician Euclid provided a proof, that there are 
infinitely many primes. This proof is considered to be one of the most beautiful proofs 
in all of mathematics. Interest in primes was rekindled in the seventeenth and eighteenth 
centuries, when mathematicians such as Pierre de Fermat and Leonhard Euler proved 
many important results and conjectured approaches for generating primes. The study of 
primes progressed substantially in the nineteenth century; results included the infinitude 
of primes in arithmetic progressions, and sharp estimates for the number of primes not 
exceeding a positive number x. The last 100 years has seen the development of many 
powerful techniques for the study of primes, but even with these powerful techniques, 
many questions remain unresolved. An example of a notorious unsolved question is 
whether there are infinitely many twin primes, which are pairs of primes that differ by 2. 
New results will certainly follow in the coming decades, as researchers continue working 
on the many open questions involving primes. 


The development of modern number theory was made possible by the German 
mathematician Carl Friedrich Gauss, one of the greatest mathematicians in history, who 
in the early nineteenth century developed the language of congruences. We say that two 
integers a and b are congruent modulo m, where m is a positive integer, if m divides 
a — b. This language makes it easy to work with divisibility relationships in much the 
same way that we work with equations. Gauss developed many important concepts in 
number theory; for example, he proved one of its most subtle and beautiful results, the Jaw 
of quadratic reciprocity. This law relates whether a prime p is a perfect square modulo 
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a second prime qg to whether q is a perfect square modulo p. Gauss developed many 
different proofs of this law, some of which have led to whole new areas of number theory. 


Distinguishing primes from composite integers is a key problem of number theory. 
Work on this problem has produced an arsenal of primality tests. The simplest primality 
test is simply to check whether a positive integer is divisible by each prime not exceeding 
its square root. Unfortunately, this test is too inefficient to use for extremely large positive 
integers. Many different approaches have been used to determine whether an integer is 
prime. For example, in the nineteenth century, Pierre de Fermat showed that p divides 
2? — 2 whenever p is prime. Some mathematicians thought that the converse also was 
wue (that is, that ifm divides 2” — 2, then must be prime). However, it is not; by the early 
nineteenth century, composite integers n, such as 341, were known for which n divides 
2” — 2. Such integers are called pseudoprimes. Though pseudoprimes exist, primality 
tests based on the fact that most composite integers are not pseudoprimes are now used 
to quickly find extremely large integers which are are extremely likely to be primes. 
However, they cannot be used to prove that an integer is prime. Finding an efficient 
method to prove that an integer is prime was an open question for hundreds of years. 
In a surprise to the mathematical community, this question was solved in 2002 by three 
Indian computer scientists, Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. Their 
algorithms can prove that an integer is prime in polynomial time (in terms of the number 
of digits of n). 


Factoring a positive integer into primes is another central problem in number theory. 
The factorization of a positive integer can be found using trial division, but this method 
is extremely time-consuming. Fermat, Euler, and many other mathematicians devised 
imaginative factorization algorithms, which have been extended in the past 30 years 
into a wide array of factoring methods. Using the best-known techniques, we can easily 
find primes with hundreds or even thousands of digits; factoring integers with the same 
number of digits, however, is beyond our most powerful computers. 


The dichotomy between the time required to find large integers which are almost 
certainly prime and the time required to factor large integers is the basis of an extremely 
important secrecy system, the RSA cryptosystem. The RSA system is a public key 
cryptosystem, a security system in which each person has a public key and an associated 
private key. Messages can be encrypted by anyone using another person’s public key, 
but these messages can be decrypted only by the owner of the private key. Concepts 
from number theory are essential to understanding the basic workings of the RSA 
cryptosystem, as well as many other parts of modern cryptography. The overwhelming 
importance of number theory in cryptography contradicts the earlier belief, held by many 
mathematicians, that number theory was unimportant for real-world applications. It is 
ironic that some famous mathematicians, such as G. H. Hardy, took pride in the notion 
that number theory would never be applied in the way that it is today. 


The search for integer solutions of equations is another important part of number 
theory. An equation with the added proviso that only integer solutions are sought is called 
diophantine, after the ancient Greek mathematician Diophantus. Many different types of 
diophantine equations have been studied, but the most famous is the Fermat equation 
x” + y” = 2”. Fermat’s last theorem states that if n is an integer greater than 2, this 
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equation has no solutions in integers x, y, and z, where xyz 4 0. Fermat conjectured 
in the seventeenth century that this theorem was true, and mathematicians (and others) 
searched for proofs for more than three centuries, but it was not until 1995 that the first 
proof was given by Andrew Wiles. 


As Wiles’s proof shows, number theory is not a static subject! New discoveries 
continue steadily to be made, and researchers frequently establish significant theoretical 
results. The fantastic power available when today’s computers are linked over the Internet 
yields a rapid pace of new computational discoveries in number theory. Everyone can 
participate in this quest; for instance, you can join the quest for the new Mersenne primes, 
primes of the form 2? — 1, where p itself is prime. In August 2008, the first prime with 
more than 10 million decimal digits was found: the Mersenne prime 2*7:!12:609 _ 1, This 
discovery qualified for a $100,000 prize from the Electronic Frontier Foundation. A 
concerted effort is under way to find a prime with more than 100 million digits, with a 
$150,000 prize offered. After leaming about some of the topics covered in this text, you 
may decide to join the hunt yourself, putting your idle computing resources to good use. 


What is elementary number theory? You may wonder why the word “elementary” 
is part of the title of this book. This book considers only that part of number theory called 
elementary number theory, which is the part not dependent on advanced mathematics, 
such as the theory of complex variables, abstract algebra, or algebraic geometry. Students 
who plan to continue the study of mathematics will learn about more advanced areas of 
number theory, such as analytic number theory (which takes advantage of the theory 
of complex variables) and algebraic number theory (which uses concepts from abstract 
algebra to prove interesting results about algebraic number fields). 


Some words of advice. As you embark on your study, keep in mind that number 
theory is a classical subject with results dating back thousands of years, yet is also the 
most modern of subjects, with new discoveries being made at a rapid pace. It is pure 
mathematics with the greatest intellectual appeal, yet itis also applied mathematics, with 
crucial applications to cryptography and other aspects of computer science and electrical 
engineering. I hope that you find the many facets of number theory as captivating as 
aficionados who have preceded you, many of whom retained an interest in number theory 
long after their school days were over. 


Experimentation and exploration play a key role in the study of number theory. The 
results in this book were found by mathematicians who often examined large amounts of 
numerical evidence, looking for patterns and making conjectures. They worked diligently 
to prove their conjectures; some of these were proved and became theorems, others were 
rejected when counterexamples were found, and still others remain unresolved. As you 
study number theory, I recommend that you examine many examples, look for patterns, 
and formulate your own conjectures. You can examine small examples by hand, much as 
the founders of number theory did, but unlike these pioneers, you can also take advantage 
of today’s vast computing power and computational engines. Working through examples, 
either by hand or with the aid of computers, will help you to learn the subject—and you 
may even find some new results of your own! 
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1.1 


The Integers 


| n the most general sense, number theory deals with the properties of different sets of 
numbers. In this chapter, we will discuss some particularly important sets of numbers, 
including the integers, the rational numbers, and the algebraic numbers. We will briefly 
introduce the notion of approximating real numbers by rational numbers. We will also 
introduce the concept of a sequence, and particular sequences of integers, including some 
figurate numbers studied in ancient Greece. A common problem is the identification of 
a particular integer sequence from its initial terms; we will briefly discuss how to attack 
such problems. 


Using the concept of a sequence, we will define countable sets and show that the set 
of rational numbers is countable. We will also introduce notations for sums and products, 
and establish some useful summation formulas. 


One of the most important proof techniques in number theory (and in much of 
mathematics) is mathematical induction. We will discuss the two forms of mathematical 
induction, illustrate how they can be used to prove various results, and explain why 
mathematical induction is a valid proof technique. 


Continuing, we will introduce the intriguing sequence of Fibonacci numbers, and 
describe the original problem from which they arose. We will establish some identities 
and inequalities involving the Fibonacci numbers, using mathematical induction for 
some of our proofs. 


The final section of this chapter deals with a fundamental notion in number theory, 
that of divisibility. We will establish some of the basic properties of division of integers, 
including the “division algorithm.” We will show how the quotient and remainder of a 
division of one integer by another can be expressed using values of the greatest integer 
function (we will describe a few of the many useful properties of this function, as well). 


Numbers and Sequences 


In this section, we introduce basic material that will be used throughout the text. In 
particular, we cover the important sets of numbers studied in number theory, the concept 
of integer sequences, and summations and products. 


The Integers 


Numbers 


To begin, we will introduce several different types of numbers. The integers are the 
numbers in the set 


aco=3 01.0499, « 39. 


The integers play center stage in the study of number theory. One property of the positive 
integers deserves special mention. 


The Well-Ordering Property Every nonempty set of positive integers has a least 
element. 


The well-ordering property may seem obvious, but it is the basic principle that allows 
us to prove many results about sets of integers, as we will see in Section 1.3. 


The well-ordering property can be taken as one of the axioms defining the set of 
positive integers or it may be derived from a set of axioms in which it is not included. 
(See Appendix A for axioms for the set of integers.) We say that the set of positive 
integers is well ordered. However, the set of all integers (positive, negative, and zero) 
is not well ordered, as there are sets of integers without a smallest element, such as the 
set of negative integers, the set of even integers less than 100, and the set of all integers 
itself. 


Another important class of numbers in the study of number theory is the set of 
numbers that can be written as a ratio of integers. 


Definition. The real number r is rational if there are integers p and q, with q £0, 
such that r = p/q. If r is not rational, it is said to be irrational. 


Example 1.1. The numbers —22/7, 0 = 0/1, 2/17, and 1111/41 are rational numbers. 
< 


Note that every integer n is a rational number, because n = n/1. Examples of irrational 
numbers are /2, 2, and e. We can use the well-ordering property of the set of positive 
integers to show that ./2 is irrational. The proof that we provide, although quite clever, 
is not the simplest proof that s/2 is irrational. You may prefer the proof that we will give 
in Chapter 4, which depends on concepts developed in that chapter. (The proof that e is 
irrational is left as Exercise 44. We refer the reader to [HaWr08] for a proof that z is 
irrational. It is not easy.) 


Theorem 1.1. 2 is irrational. 


Proof. Suppose that /2 were rational. Then there would exist positive integers a and b 
such that /2 = a/b. Consequently, the set S = {k»/2 | k and k4/2 are positive integers} 
is a nonempty set of positive integers (it is nonempty because a = b/2 is a member 
of 5). Therefore, by the well-ordering property, S has a smallest element, say, s = t/2. 


1.1 Numbers and Sequences 7 


We have s/2 — 5 =sJ/2 — t/2 = (s — t)V/2. Because s/2 = 2t and s are both 
integers, s\/2 — s = s/2 — t./2 = (s — t)</2 must also be an integer. Furthermore, it 
is positive, because sJ/2—s =5s(/2 — 1) and V2 > 1. It is less than s, because 2 < 2 
so that ./2 — 1 < 1. This contradicts the choice of s as the smallest positive integer in S. 
It follows that /2 is irrational. rT 


The sets of integers, positive integers, rational numbers, and real numbers are 
traditionally denoted by Z, Zt, Q, and R, respectively. Also, we write x € S to indicate 
that x belongs to the set S. Such notation will be used occasionally in this book. 


We briefly mention several other types of numbers here, though we do not return to 
them until Chapter 12. 


Definition. A number a is algebraic if it is the root of a polynomial with integer 
coefficients; that is, a is algebraic if there exist integers ap, a1, ..., a, such thata,a” + 
a, a"! 4 ---+ aq =0. The number or is called transcendental if it is not algebraic. 


Example 1.2. The irrational number /2 is algebraic, because it is a root of the 
polynomial x? — 2. < 


Note that every rational number is algebraic. This follows from the fact that the number 
a/b, where a and b are integers and b £0, is the root of bx —a. In Chapter 12, 
we will give an example of a wanscendental number. The numbers e and 7 are also 
wanscendental, but the proofs of these facts (which can be found in [HaWr08]) are beyond 
the scope of this book. 


The Greatest Integer Function 


In number theory, a special notation is used for the largest integer that is less than or 
equal to a particular real number. 


Definition. The greatest integer ina real number x, denoted by [x], is the largest integer 
less than or equal to x. That is, [x] is the integer satisfying 


[Ix] <x <[x]+1. 


Example 1.3. We have [5/2] = 2, [—5/2] = —3, [7] = 3, [—2] = —2,and[0])=0. < 


Remark. The greatest integer function is also known as the floor function. Instead of 
using the notation [x] for this function, computer scientists usually use the notation |x]. 
The ceiling function is a related function often used by computer scientists. The ceiling 
function of a real number x, denoted by [x], is the smallest integer greater than or equal 
to x. For example, [5/2] = 3 and [—5/2] = —2. 


The greatest integer function arises in many contexts. Besides being important in 
number theory, as we will see throughout this book, it plays an important role in the 
analysis of algorithms, a branch of computer science. The following example establishes 
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a useful property of this function. Additional properties of the greatest integer function 
are found in the exercises at the end of this section and in [GrKnPa94]. 


Example 1.4. Show that if n is an integer, then [x +] =[x]-++n whenever x is a 
real number. To show that this property holds, let [x] = m, so that m is an integer. This 
implies that m < x < m+ 1. Wecan add 7 to this inequality to obtainm +n<x-+n< 
m +n -+ 1. This shows that m + n = [x]+ 7 is the greatest integer less than or equal to 
x +n. Hence, [x +n]=[x]+n7. < 


Definition. The fractional part of a real number x, denoted by {x}, is the difference 
between x and the largest integer less than or equal to x, namely, [x]. That is, {x} = 
x = [x] 


Because [x] < x < [x]+ 1, it follows that 0 < {x} =x — [x] < 1 for every real 
number x. The greatest integer in x is also called the integral part of x because x = 
[x] + {x}. 


Example 1.5. We have {5/4} = 5/4 — [5/4] = 5/4 — 1= 1/4 and {—2/3} = —2/3 — 
[—2/3] = -2/3 — (-1) = 1/3. < 


Diophantine Approximation 


We know that the distance of a real number to the integer closest to it is at most 1/2. 
But can we show that one of the first k multiples of a real number must be much closer 
to an integer? An important part of number theory called diophantine approximation 
studies questions such as this. In particular, it concentrates on questions that involve 
the approximation of real numbers by rational numbers. (The adjective diophantine 
comes from the Greek mathematician Diophantus, whose biography can be found in 
Section 13.1.) 


Here we will show that among the first n multiples of a real number a, there must 
be at least one at a distance less than 1/n from the integer nearest it. The proof will 
depend on the famous pigeonhole principle, introduced by the German mathematician 
Dirichlet.! Informally, this principle tells us if we have more objects than boxes, when 
these objects are placed in the boxes, at least two must end up in the same box. Although 
this seems like a particularly simple idea, it turns out to be extremely useful in number 
theory and combinatorics. We now state and prove this important fact, which is known 
as the pigeonhole principle, because if you have more pigeons than roosts, two pigeons 
must end up in the same roost. 


Theorem 1.2. The Pigeonhole Principle. If k + 1 or more objects are placed into k 
boxes, then at least one box contains two or more of the objects. 


1 Instead of calling Theorem 1.2 the pigeonhole principle, Dirichlet called it the Schubfachprinzip in German, 
which translates to the drawer principle in English. A biography of Dirichlet can be found in Section 3.1. 
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Proof. If none of the k boxes contains more than one object, then the total number of 
objects would be at most k. This contradiction shows that one of the boxes contains at 
least two or more of the objects. rT 


We now state and prove the approximation theorem, which guarantees that one of 
the first n multiples of a real number must be within 1/n of an integer. The proof we 
give illustrates the utility of the pigeonhole principle. (See [Ro07] for more applications 
of the pigeonhole principle.) (Note that in the proof we make use of the absolute value 
function. Recall that |x|, the absolute value of x, equals x if x > 0 and —x if x < 0. Also 
recall that |x — y| gives the distance between x and y.) 


Theorem 1.3. Dirichlet’s Approximation Theorem. If a is areal number and n is a 
positive integer, then there exist integers a and b with 1 < a < nsuch that |aa — b| < 1/n. 


Proof. Consider the n + 1 numbers 0, {a}, {2a}, ..., {2a}. These n + 1 numbers 
are the fractional parts of the numbers ja, j = 0, 1,..., 2, so that 0 < {ja} < 1 for 
j =0, 1, ...,. Each of these n + 1 numbers lies in one of the n disjoint intervals 
O<x <I1/n, l/n<x<2/n,...,(GG@-—D/n<x<j/n,...,a—/n<x <1. Be- 
cause there are n + 1 numbers under consideration, but only n intervals, the pigeonhole 
principle tells us that at least two of these numbers lie in the same interval. Because each 
of these intervals has length 1/n and does not include its right endpoint, we know that 
the distance between two numbers that lie in the same interval is less than 1/n. It follows 
that there exist integers 7 and k with O < j < k <n such that |{ka} — {ja}| < 1/n. We 
will now show that when a = k — j, the product aq is within 1/n of an integer, namely, 
the integer b = [ka] — [ja]. To see this, note that 


law — b| = |(K — j)a — ({ka] — [jo])| 
= |(ka — [ka]) — (ja — [ja))| 
= |{ka} — {ja} < 1/n. 


Furthermore, note that because 0 < j <k <n, we have 1<a=k — j <n. Conse- 
quently, we have found integers a and b with 1 < a <n and |aa — b| < 1/n, as desired. 
a 


Example 1.6. Suppose that a = /2 and n = 6. We find that 1- /2 © 1.414,2-/2 
2.828, 3-/2 © 4.243,4-/2 © 5.657, 5-/2 © 7.071, and 6 - 2 © 8.485. Among these 
numbers 5 - /2 has the smallest fractional part. We see that |5- /2 — 7| © |7.071—7| = 
0.071 < 1/6. It follows that when a = /2 and n = 6, we can take a = 5 and b=7 to 
make |aa — b| < 1/n. < 


Our proof of Theorem 1.3 follows Dirichlet’s original 1834 proof. Proving a stronger 
version of Theorem 1.3 with 1/(m + 1) replacing 1/n in the approximation is not diffi- 
cult (see Exercise 32). Furthermore, in Exercise 34 we show how to use the Dirichlet 
approximation theorem to show that, given an irrational number a, there are infinitely 
many different rational numbers p/q such that | — p/q| < 1/q?, an important result in 
the theory of diophantine approximation. We will return to this topic in Chapter 12. 
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Sequences 


A sequence {a,} is a list of numbers ay, a2, a3, .... We will consider many particular 
integer sequences in our study of number theory. We introduce several useful sequences 
in the following examples. 


Example 1.7. The sequence {a,,}, where a, = n?, begins with the terms 1, 4, 9, 16, 25, 
36, 49, 64, ... . This is the sequence of the squares of integers. The sequence {b,,}, where 
b,, = 2”, begins with the terms 2, 4, 8, 16, 32, 64, 128, 256, . . . . This is the sequence of 
powers of 2. The sequence {c,,}, where c, = 0 if n is odd and c,, = 1 if n is even, begins 
with the terms 0, 1, 0, 1, 0, 1,0, 1,.... < 


There are many sequences in which each successive term is obtained from the 
previous term by multiplying by a common factor. For example, each term in the 
sequence of powers of 2 is 2 times the previous term. This leads to the following 
definition. 


Definition. A geometric progression is a sequence of the form a, ar, ar”, ar>,..., 


ar*,..., where a, the initial term, and r, the common ratio, are real numbers. 


Example 1.8. The sequence {a,}, where a, =3-5",n=0, 1, 2,..., is a geometric 
sequence with initial term 3 and common ratio 5. (Note that we have started the sequence 
with the term dy. We can start the index of the terms of a sequence with 0 or any other 
integer that we choose.) < 


A common problem in number theory is finding a formula or rule for constructing 
the terms of a sequence, even when only a few terms are known (such as trying to find 
a formula for the nth triangular number 1+ 2+ 3+.----+ 27). Even though the initial 
terms of a sequence do not determine the sequence, knowing the first few terms can lead 
to a conjecture for a formula or rule for the terms. Consider the following examples. 


Example 1.9. Conjecture a formula for a,, where the first eight terms of {a,,} are 
4, 11, 18, 25, 32, 39, 46, 53. We note that each term, starting with the second, is obtained 
by adding 7 to the previous term. Consequently, the nth term could be the initial term 
plus 7(n — 1). A reasonable conjecture is that a, = 4+ 7(n — 1) = 7n — 3. < 


The sequence proposed in Example 1.9 is an arithmetic progression, that is, a 
sequence of the form a,a+d,a+2d,...,a+nd,....The particular sequence in 
Example 1.9 has a = 4 andd = 7. 


Example 1.10. Conjecture a formula for a,,, where the first eight terms of the sequence 
{a,} are 5, 11, 29, 83, 245, 731, 2189, 6563. We note that each term is approximately 3 
times the previous term, suggesting a formula for a, in terms of 3”. The integers 3” for 
n=1, 2,3,... are 3, 9, 27, 81, 243, 729, 2187, 6561. Looking at these two sequences 
together, we find that the formula a,, = 3” + 2 produces these terms. < 
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Example 1.11. Conjecture a formula for a,,, where the first ten terms of the sequence 
{a,} are 1, 1, 2, 3, 5, 8, 13, 21, 34, 55. After examining this sequence from different 
perspectives, we notice that each term of this sequence, after the first two terms, is the 
sum of the two preceding terms. That is, we see that a, = a,_; +a, for3 <n < 10. 
This is an example of a recursive definition of a sequence, discussed in Section 1.3. The 
terms listed in this example are the initial terms of the Fibonacci sequence, which is 
discussed in Section 1.4. < 


Integer sequences arise in many contexts in number theory. Among the sequences 
we will study are the Fibonacci numbers, the prime numbers (covered in Chapter 3), and 
the perfect numbers (introduced in Section 7.3). Integer sequences appear in an amazing 
range of subjects besides number theory. Neil Sloane has amassed a fantastically diverse 
collection of more than 170,000 integer sequences (as of early 2010) in his On-Line 
Encyclopedia of Integer Sequences. This collection is available on the Web. (Note that 
in early 2010, the OEIS Foundation took over maintenance of this collection.) (The 
book [SIP195] is an earlier printed version containing only a small percentage of the 
current contents of the encyclopdia.) This site provides a program for finding sequences 
that match initial terms provided as input. You may find this a valuable resource as you 
continue your study of number theory (as well as other subjects). 


We now define what it means for aset to be countable, and show thata set is countable 
if and only if its elements can be listed as the terms of a sequence. 


Definition. A set is countable if it is finite or it is infinite and there exists a one-to- 
one correspondence between the set of positive integers and the set. A set that is not 
countable is called uncountable. 


An infinite set is countable if and only if its elements can be listed as the terms of a 
sequence indexed by the set of positive integers. To see this, simply note that a one-to- 
one correspondence f from the set of positive integers to a set S is exactly the same as 
a listing of the elements of the set in a sequence a), az, ...,a,,..., where a; = f(i). 


Example 1.12. The set of integers is countable, because the integers can be listed 
starting with 0, followed by 1 and —1, followed by 2 and —2, and so on. This produces 
the sequence 0, 1, —1, 2, —2, 3, —3,..., where a; = 0, az, =n, and a2,,; = —n for 
1 — Si [ee a < 


Is the set of rational numbers countable? At first glance, it may seem unlikely that 
there would be a one-to-one correspondence between the set of positive integers and the 
set of all rational numbers. However, there is such a correspondence, as the following 
theorem shows. 


Theorem 1.4. The set of rational numbers is countable. 


Proof. Wecan list the rational numbers as the terms of a sequence, as follows. First, we 
arrange all the rational numbers in a two-dimensional array, as shown in Figure 1.1. We 
put all fractions with a denominator of 1 in the first row. We arrange these by placing the 
fraction with a particular numerator in the position this numerator occupies in the list of 
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all integers given in Example 1.12. Next, we list all fractions on successive diagonals, 
following the order shown in Figure 1.1. Finally, we delete from the list all fractions that 
represent rational numbers that have already been listed. (For example, we do not list 
2/2, because we have already listed 1/1.) 
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Figure 1.1 Listing the rational numbers. 


The initial terms of the sequence are 0/1 = 0, 1/1= 1, —1/1 = —1, 1/2, 1/3, —1/2, 
2/1=2, —2/1= —2, —1/3, 1/4, and so on.) We leave it to the reader to fill in the details, 
to see that this procedure lists all rational numbers as the terms of a sequence. 7 


We have shown that the set of rational numbers is countable, but we have not given an 
example of an uncountable set. Such an example is provided by the set of real numbers, 
as shown in Exercise 45. 


EXERCISES 


. Determine whether each of the following sets is well ordered. Either give a proof using the 


well-ordering property of the set of positive integers, or give an example of a subset of the 
set that has no smallest element. 


a) the set of integers greater than 3 

b) the set of even positive integers 

c) the set of positive rational numbers 

d) the set of positive rational numbers that can be written in the form a/2, where a is a 
positive integer 

e) the set of nonnegative rational numbers 


. Show that if a and b are positive integers, then there is a smallest positive integer of the form 


a—bk,k eZ. 


. Prove that both the sum and the product of two rational numbers are rational. 


. Prove or disprove each of the following statements. 


a) The sum of a rational and an irrational number is irrational. 
b) The sum of two irrational numbers is irrational. 


J nA wi 


21. 


22. 
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c) The product of a rational number and an irrational number is irrational. 
d) The product of two irrational numbers is irrational. 


. Use the well-ordering property to show that ./3 is irrational. 
. Show that every nonempty set of negative integers has a greatest element. 


. Find the following values of the greatest integer function. 


a) [1/4] ¢) [22/7] e) [[1/2] + [1/2] 
b) [-3/4] d) [—2] f) [-3 + [-1/2]] 

. Find the following values of the greatest integer function. 
a) [—1/4] c) [5/4] e) [[3/2] + [—3/2]] 
b) [-22/7] d) [[1/2]] f) [3 — [1/2]] 


. Find the fractional part of each of these numbers: 


a) 8/5 b) 1/7 c) —11/4 d) 7 


. Find the fractional part of each of these numbers: 


a) —8/5 b) 22/7 c) —1 d) —1/3 


. What is the value of [x] + [—x] where x is a real number? 

. Show that [x] + [x + 1/2] = [2x] whenever x is a real number. 

. Show that [x + y]> [x]+ [y] for all real numbers x and y. 

. Show that [2x] + [2y] > [x] + [y]+ [x + y] whenever x and y are real numbers. 


. Show that if x and y are positive real numbers, then [xy] > [x ]Ly]. What is the situation when 


both x and y are negative? When one of x and y is negative and the other positive? 


. Show that —[— x] is the least integer greater than or equal to x when x is a real number. 


. Show that [x + 1/2] is the integer nearest to x (when there are two integers equidistant from 


x, it is the larger of the two). 


. Show that if m and n are integers, then [(x + n)/m] = [([x] + n)/m] whenever x is a real 


number. 


. Show that [V [x] — [/x] whenever x is a nonnegative real number. 


. Show that if m is a positive integer, then 


[mx] = [x] + [x + (1/m)] + [x + (2/m)] +--+ + [x + (m — 1)/m] 
whenever x is a real number. 
Conjecture a formula for the nth term of {a,,} if the first ten terms of this sequence are as 
follows. 
a) 3, 11, 19, 27, 35, 43, 51, 59, 67, 75 c) 1, 0, 0, 1, 0, 0, 0, 0, 1, 0 
b) 5, 7, 11, 19, 35, 67, 131, 259, 515, 1027 d) 1, 3, 4, 7, 11, 18, 29, 47, 76, 123 
Conjecture a formula for the nth term of {a,} if the first ten terms of this sequence are as 
follows. 
a) 2, 6, 18, 54, 162, 486, 1458, 4374, 13122, 39366 
b) 1, 1, 0, 1, 1, 0, 1, 1, 0, 1 


14 


23. 


24. 


25. 
26. 
27. 


30. 


31. 


32. 


33. 


34. 


35. 
36. 
37. 
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c) 1, 2, 3, 5, 7, 10, 13, 17, 21, 26 
d) 3, 5, 11, 21, 43, 85, 171, 341, 683, 1365 
Find three different formulas or rules for the terms of a sequence {a,,} if the first three terms 


of this sequence are 1, 2, 4. 


Find three different formulas or rules for the terms of a sequence {a, } if the first three terms 
of this sequence are 2, 3, 6. 


Show that the set of all integers greater than — 100 is countable. 
Show that the set of all rational numbers of the form 7/5, where n is an integer, is countable. 


Show that the set of all numbers of the forma + b+/2, where a and b are integers, is countable. 


. Show that the union of two countable sets is countable. 


. Show that the union of a countable number of countable sets is countable. 


Using a computational aid, if needed, find integers a and b such that 1 < a < 8 and |aa — b| < 
1/8, where @ has these values: 


a) /2 b) 72 c) 7 d)e 


Using a computational aid, if needed, find integers a and b such that 1 < a < 10 and |aa — 
b| < 1/10, where @ has these values: 


a) /3 b) 4/3 c) x? d) e? 


Prove the following stronger version of Dirichlet’s approximation. If @ is a real number 
and n is a positive integer, there are integers a and b such that 1 <a <n and |aa — b| < 
1/(n + 1). (Hint: Consider the n + 2 numbers 0, ..., {ja}, ..., 1 and the n + 1 intervals 
(kK-D/mt+1 <x <k/(n4+)) fork =1,...,n4+1,) 


Show that if a is a real number and 7 is a positive integer, then there is an integer k such that 
la —n/k| < 1/2k. 


Use Dirichlet’s approximation theorem to show that if @ is an irrational number, then there are 
infinitely many positive integers q for which there is an integer p such that |a — p/q| < 1/q?. 


Find four rational numbers p/q with |/2 — p/q| < 1/q?. 
Find five rational numbers p/g with |W’5 — p/g| < 1/q?. 


Show that if a = a/b is a rational number, then there are only finitely many rational numbers 
p/q such that | p/q — a/b| < 1/q?. 


The spectrum sequence of a real number a is the sequence that has [na] as its nth term. 


38. 


39. 


40. 


** 41, 


Find the first ten terms of the spectrum sequence of each of the following numbers. 

a) 2 b) V2 c)2+ V2 d)e e) (1+ /5)/2 
Find the first ten terms of the spectrum sequence of each of the following numbers. 

a) 3 b) V3 c) (34+ 3)/2 dx 


Prove that if a 4 8, then the spectrum sequence of a is different from the spectrum sequence 
of B. 
Show that every positive integer occurs exactly once in the spectrum sequence of a or in 


the spectrum sequence of f if and only if a and £ are positive irrational numbers such that 
Va+1/p=1. 


* 


* 


* 


1.1 Numbers and Sequences 15 


The Ulam numbers u,, n = 1, 2,3, ... are defined as follows. We specify that u, = 1 and u» = 2. 
For each successive integer m, m > 2, this integer is an Ulam number if and only if it can be written 
uniquely as the sum of two distinct Ulam numbers. These numbers are named for Stanislaw Ulam, 
who first described them in 1964. 


42. Find the first ten Ulam numbers. 
43. Show that there are infinitely many Ulam numbers. 
44. Prove that e is irrational. (Hint: Use the fact that e = 1+ 1/1!+ 1/2!+ 1/3!+---.) 


45. Show that the set of real numbers is uncountable. (Hint: Suppose it is possible to list the real 
numbers between 0 and 1. Show that the number whose ith decimal digit is 4 when the ith 
decimal digit of the ith real number in the list is 5 and is 5 otherwise is not on the list.) 


Computations and Explorations 


1. Find 10 rational numbers p/q such that | — p/q| < 1/q”. 
2. Find 20 rational numbers p/g such that Je — p/q| < 1/q”. 


3. Find as many terms as you can of the spectrum sequence of /2. (See the preamble to 
Exercise 38 for the definition of spectrum.) 


Advanced Study; in 1936, he joimed Harvard University as a member of the Society of Fellows, 
cemaining in this position until 1940. During these years he returved each summer to Poland where 
he spent time in cafes, such as the Scottish Cafe, intensely doing mathematics with his fellow Polish 
mathematians. 


II. In 1940, he was appointed to a position as an assistant professor at the University of Wisconsin, 
and in 1943, he was enlisted to work in Los Alamos on the development of the first atomic bomb, 
as part of the Manhattan Project. Ulam made several key contributions that led to the creation of 
thermonuclear bombs. At Los Alamos, Ulam also developed the Monte Carlo method, which uses a 
sampling technique with random numbers to find solutions of mathematical problems. 


University of Southern California, the University of Colorado, and the University of Florida. Ulam 
had a fabulous memory and was an extremely verbal person. His mind was a repository of stories, 
jokes, puzzles, quotations, formulas, problems, and many other types of information. He wrote several 
books, including Sets, Numbers, and Universes and Adventures of a Mathematician. He was interested 
in and contributed to many areas of mathematics, including number theory, real analysis, probability 
theory, and mathematical biology. 


STANISLAW M. ULAM (1909-1984) was born in Lvov, Poland. He became 
interested in astronomy and physics at age 12, after receiving a telescope from 
his uncle. He decided to learn the mathematics required to understand relativity 
theory, and at the age of 14 he used textbooks to learn calculus and other 
mathematics. 

Ulam received his Ph.D. from the Polytechnic Institute in Lvov in 1933, 
completing his degree under the mathematician Banach, in the area of real 
analysis. In 1935, he was invited to spend several months at the Institute for 


Luckily for Ulam, he left Poland in 1939, just one month before the outbreak of World War 


Ulam remained at Los Alamos after the war until 1965. He served on the faculties of the 
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. Find as many terms as you can of the spectrum sequence of :. (See the preamble to Exercise 38 


for the definition of spectrum.) 


5. Find the first 1000 Ulam numbers. 
6. How many pairs of consecutive integers can you find where both are Ulam numbers? 


7. Can the sum of any two consecutive Ulam numbers, other than 1 and 2, be another Ulam 


number? If so, how many examples can you find? 


. How large are the gaps between consecutive Ulam numbers? Do you think that these gaps 


can be arbitrarily long? 


. What conjectures can you make about the number of Ulam numbers less than an integer n? 


Do your computations support these conjectures? 


Programming Projects 


1. Given a number a, find rational numbers p/q such that ja — p/q| < 1/q?. 
2. Given a number q@, find its spectrum sequence. 


3. Find the first » Ulam numbers, where n is a positive integer. 


1.2 Sums and Products 


Because summations and products arise so often in the study of number theory, we now 
inwoduce notation for summations and products. The following notation represents the 
sum of the numbers aj, a2, ..., @,: 


n 
So ay = ay + ay +++ + ay. 
k=1 


The letter k, the index of summation, is a “dummy variable” and can be replaced by any 
letter. For instance, 


n n n 
De ay = De aj= > a;, and so forth. 
k=1 j=l i=1 


Example 1.13. Weseethat 7j_,j=1+2+3+4+5=15, )°_,2=2+2+2+ 
2+2=10,and )_,2/=2+4+274+ 23+ 24425 = 62. 
We also note that, in summation notation, the index of summation may range 


between any two integers, as long as the lower limit does not exceed the upper limit. 
If m and n are integers such that m <n, then Ss Ak = An + An41 +°++ + ay. For 


instance, we have )-)_,k? =37+47+5°=50, )?_, 3 = 30+ 3! 4 3? = 13, and 
Dye P= (-2)3 + (-13 +0 + B= -8. eT 
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We will often need to consider sums in which the index of summation ranges over 
all those integers that possess a particular property. We can use summation notation to 
specify the particular property or properties the index must have for a term with that index 
to be included in the sum. This use of notation is illustrated in the following example. 


Example 1.14. We see that 


YS YG+ED=V/14 1/24 1/5 + 1/10 = 9/5, 
j<10 
so eReH 


because the terms in the sum are all those for which j is an integer not exceeding 10 that 


is a perfect square. < 


The following three properties for summations are often useful. We leave their proofs 
to the reader. 


(1.1) ye ehee yw) 
j=m j=m 
(1.2) Ya to)=> a; + >>; 
j=m j=m j=m 
n q q n 
i=m j=p i=m jJ=p i=m 


Next, we develop several useful summation formulas. We often need to evaluate 
sums of consecutive terms of a geometric series. The following example shows how a 
formula for such sums can be derived. 


Example 1.15. To evaluate 
= . 
sS= ye ar!, 
j=0 


the sum of the first n + 1 terms of the geometric series a, ar,..., ar“, ..., we multiply 
both sides by r and manipulate the resulting sum to find: 
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x . 
rS=r y ar! 

j=0 


n 
j=0 


n+1 
= > ar* (shifting the index of summation, taking k = j + 1) 
k=1 


n 
= 2 ar* + (ar"*+! — q) (removing the term withk =n + 1 
k=0 from the set and adding the term with k = 0) 


=S§+ (ar"*! —a). 
It follows that 
rS —S=(ar"*!—a). 
Solving for S shows that when r # 1, 


ar™tl_@ 


r-1 


Note that when 7 = 1, we have )""_j ar] =)" _ja=(n+ Da. < 


Example 1.16. Taking a = 3,r = —S, andn = 6 in the formula found in Example 1.15, 
‘ 7 
we see that "*_ 3(—5)/ = “C3? = 39,063. 4 


The following example shows that the sum of the first n consecutive powers of 2 is 
1 less than the next power of 2. 


Example 1.17. Let be a positive integer. To find the sum 


n 
> RH 1t 2427 4---+2%, 
k=0 


we use Example 1.15, with a = 1 and r = 2, to obtain 


gnti = 
P22 ae OS Se 
2-1 < 
A summation of the form iG; — aj-1); where do, @1, 22, ..., A, is a sequence 


of numbers, is said to be telescoping. Telescoping sums are easily evaluated because 
n 
54; — Aj_1 = (A, — Ag) + (Gy — ay) +++ + + (Gy — Gn_1) 


j=l 
= ay, — ao. 
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The ancient Greeks were interested in sequences of numbers that can be represented 
by regular arrangements of equally spaced points. The following example illustrates one 
such sequence of numbers. 


Example 1.18. The triangular numbers ty, tz, tz, ..., ty, . . . is the sequence where t; 
is the number of dots in the triangular array of k rows with j dots in the jth row. < 


Figure 1.2 illustrates that t, counts the dots in successively larger regular triangles 
for k = 1, 2, 3, 4, and 5. 


AAAS 


Figure 1.2 The Triangular Numbers. 
Next, we will determine an explicit formula for the nth triangular number t,,. 


Example1.19. Howcan we find a formula for the nth wiangular number? One approach 
is to use the identity (k + 1)? — k* = 2k + 1. When we isolate the factor k, we find 
that k = ((k + 1)” — k*)/2 — 1/2. When we sum this expression for k over the values 
k=1,2,...,n, we obtain 


k=1 


= (Du + 1)? =k} /2) = > 1/2 (replacing k with (((k + 1)? — k?)/2) — 1/2) 


k=1 k=1 
= ((n + 1)” /2-—1/2) —n/2 (simplifying a telescoping sum) 
= (n? + 2n)/2—n/2 
= (n? +n)/2 
=n(n + 1)/2. 


The second equality here follows by the formula for the sum of a telescoping series with 
a, =(k+ 1)? — k?. We conclude that the nth wiangular number ¢,, = n(n + 1)/2. (See 
Exercise 7 for another way to find ¢,,.) < 


We also define a notation for products, analogous to that for summations. The 
product of the numbers a), az, ..., a, is denoted by 


n 
[2 =a1a.°°: apy. 
j=l 
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The letter j above is a “dummy variable,’ and can be replaced arbitrarily. 


Example 1.20. To illustrate the notation for products, we have 


5 
[[ §=1-2-3-4-5= 120, 


5 

|] 23222522022) 42, and 
J= 

5 

] [2 =2-2?. 23. 2t.25 = 215, 


The factorial function arises throughout number theory. 


Definition. Let be a positive integer. Then n! (read as “‘n factorial’’) is the product of 
the integers 1, 2,...,. We also specify that 0! = 1. In terms of product notation, we 
have n!=[]i_, j. 


Example 1.21. We have 1!=1, 44=1-2-3-4=24, and 12!=1-2-3-4-5-6-7- 
8-9- 10-11-12 = 479,001,600. < 


1.2 EXERCISES 


1. Find each of the following sums. 
aa? OYA o9D_wvu+D 

2. Find each of the following sums. 
ai93 = dB VjagF-3) oo) Dj oF + D/C +2) 

3. Find each of the following sums. 
a yj2 db) 5-3) o) Y9_, 3(- 1/2) 

4. Find each of the following sums. 
) ye! Dee’ oy 2 0/3) 

* 5, Find and prove a formula for Delve in terms of n and [,/n]. (Hint: Use the formula 

ee P =H + Nt + 2/6.) 

6. By putting together two triangular arrays, one with n rows and one with n — 1 rows, to form 


a square (as illustrated for n = 4), show that t,_, +t, =n”, where t, is the nth triangular 
number. 


> 


7. 


8. 
9. 
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By putting together two triangular arrays, each with n rows, to form a rectangular array of 
dots of size n by n + 1 (as illustrated for n = 4), show that 24, = n(n + 1). From this, conclude 
that 4, =n(n + 1)/2. 


Show that 32, + t,-1 = to,, where ¢, is the nth triangular number. 


Show that 1? ees ie = (n + 1)3, where t, is the nth triangular number. 


The pentagonal numbers p,, P2: P3,..-, Py, ..., are the integers that count the number of dots 
in k nested pentagons, as shown in the following figure. 


6 BS 


10. Show that p, = land p; = py_; + (Gk — 2) for k = 2. Conclude that p,, = Be (3k — 2) and 
evaluate this sum to find a simple formula for p,. 

11. Prove that the sum of the (n — 1)st triangular number and the nth square number is the nth 

pentagonal number. 

12. a) Define the hexagonal numbers h,, forn = 1, 2, . ..inamanner analogous to the definitions 
of triangular, square, and pentagonal numbers. (Recall that a hexagon is a six-sided 
polygon.) 

b) Find a closed formula for hexagonal numbers. 

13. a) Define the heptagonal numbers in a manner analogous to the definitions of triangular, 

square, and pentagonal numbers. (Recall that a heptagon is a seven-sided polygon.) 
b) Find a closed formula for heptagonal numbers. 

14. Show that h,, = ‘2,_1 for all positive integers n where h,, is the nth hexagonal number, defined 

in Exercise 12, and f,_, is the (2m — 1)st triangular number. 

15. Show that p, = t3,_1/3 where p,, is the nth pentagonal number and #3,,_; is the (3n — 1)st 

triangular number. 

The tetrahedral numbers T,, T>, T3,..., T,, ..., are the integers that count the number of dots 


on the faces of k nested tetrahedra, as shown in the following figure. 
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16. 
17. 
18. 
19. 
20. 


21. 
22. 
23. 


24. 


25. 


26. 


27. 
28. 
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Show that the nth tetrahedral number is the sum of the first n triangular numbers. 

Find and prove a closed formula for the nth tetrahedral number. 

Find n! for n equal to each of the first ten positive integers. 

List the integers 100!, 100!, 2!°, and (50!) in order of increasing size. Justify your answer. 


Express each of the following products in terms of TES a;, where k is a constant. 


n n . n k 
a) ee ka; b) Te 1a; c) |e a; 
. . 1 fete eee n — 
Use the identity (gy = ; ; 4 to evaluate )77_, K&tD* 
a a | 
Use the identity ZI ; (qh = =) to evaluate )°;_. Pa i: 


Find a formula for )~7 ea k* using a technique analogous to that in Example 1.21 and the 
formula found there. 


Find a formula for ae k? using a technique analogous to that in Example 1.19, and the 
results of that example and Exercise 21. 


Without multiplying all the terms, verify these equalities. 


a) 10!=6!7! b) 10! = 7! 5!3! c)16!=1415!2! d)9!=7!3!13!2! 
Let a), a2,...,a, be postive integers. Let b = (a! ay!...a,!) — 1, andc =a! a2!...a,!. 
Show that c! = Hail az!---a,!b!. 


Find all positive integers x, y, and z such that x!+ y!=2!. 
Find the values of the following products. 
a T'.d-¥) »)[T'_,d- 1/7?) 


Computations and Explorations 


1. 


What are the largest values of n for which n! has fewer than 100 decimal digits, fewer than 
1000 decimal digits, and fewer than 10,000 decimal digits? 


. Find as many triangular numbers that are perfect squares as you can. (We will study this 


question in the Exercises in Section 13.4.) 


. Find as many tetrahedral numbers that are perfect squares as you can. 


Programming Projects 


1. 
2. 


. n 
Given the terms of a sequence aj, a2, ... , @,, compute )-” j-1 4 and ||’ ja Gi 
Given the terms of a geometric progression, find the sum of its terms. 
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3. Given a positive integer n, find the nth triangular number, the nth perfect square, the ath 
pentagonal number, and the mth tetrahedral number. 


1.3 Mathematical Induction 


By examining the sums of the first n odd positive integers for small values of n, we can 
conjecture a formula for this sum. We have 


l=1; 
1+3=4, 
14+3+5=9, 


14+34+5+74+9=25, 
14+34+5+74+9+ 11=36. 


From these values, we conjecture that °° _j(2j —1)=14+3+5+7+---+2n—1= 
n” for every positive integer n. 


How can we prove that this formula holds for all positive integers n? 


The principle of mathematical induction is a valuable tool for proving results 
about the integers—such as the formula just conjectured for the sum of the first n odd 
positive integers. First, we will state this principle, and then we will show how it is 

() used. Subsequently, we will use the well-ordering principle to show that mathematical 
induction is a valid proof technique. We will use the principle of mathematical induction, 
and the well-ordering property, many times in our study of number theory. 


We must accomplish two things to prove by mathematical induction that a particular 
statement holds for every positive integer. Letting S be the set of positive integers for 
which we claim the statement to be true, we must show that 1 belongs to S; that is, that 
the statement is true for the integer 1. This is called the basis step. 


Second, we must show, for each positive integer n, thatn + 1 belongs to S if n does; 
that is, that the statementis tue forn + 1if itis true forn. This is called the inductive step. 
Once these two steps are completed, we can conclude by the principle of mathematical 
induction that the statement is true for all positive integers. 


Theorem 1.5. The Principle of Mathematical Induction. A set of positive integers 
that contains the integer 1, and that has the property that, if it contains the integer k, then 
it also contains k + 1, must be the set of all positive integers. 


We illustrate the use of mathematical induction by several examples; first, we prove 
the conjecture made at the start of this section. 
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Example 1.22. We will use mathematical induction to show that 


n 
D2j- D=1434---+Qn-)=n? 
j=l 


for every positive integer n. (By the way, if our conjecture for the value of this sum was 
incorrect, mathematical induction would fail to produce a proof!) 


We begin with the basis step, which follows because 


1 
YlQj-)=2-1-1=1=2, 
j=l 


For the inductive step, we assume the inductive hypothesis that the formula holds 
for n; that is, we assume that Vi a1(2 j — 1) =n?. Using the inductive hypothesis, we 
have 

n+1 n 
YQ) -D=)-Q7-N)+Qa+)-1)  (plitting off the term with j =n +1) 
j=l j=l 


=n?+ 2n+1)-1 (using the inductive hypothesis) 
=n*+2n+1 
= (n + 1)’. 
Because both the basis and the inductive steps have been completed, we know that the 
result holds. < 


Next, we prove an inequality via mathematical induction. 


Example 1.23. We can show by mathematical induction that n! < n” for every positive 
integer n. The basis step, namely, the case where n = 1, holds because 1! = 1 < =. 
Now, assume that n! <n”; this is the inductive hypothesis. To complete the proof, we 
must show, under the assumption that the inductive hypothesis is true, that (n + 1)! < 
(n + 1)"*!. Using the inductive hypothesis, we have 


The Origin of Mathematical Induction 
The first known use of mathematical induction appears in the work of the sixteenth-century 
mathematician Francesco Maurolico (1494-1575). In his book Arithmeticorum Libri Duo, 


Manurolico presented various properties of the integers, together with proofs. He devised the 
method of mathematical induction so that he could complete some of the proofs. The first 
use of mathematical induction in his book was in the proof that the sum of the first n odd 
positive integers equals n2. 
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(n+)!=(n+1)-n! 
< (n+ In" 
<(n+1)(n+4+ 1)” 
<(n+ "th. 
This completes both the inductive step and the proof. < 


We now show that the principle of mathematical induction follows from the well- 
ordering principle. 


Proof. Let S be a set of positive integers containing the integer 1, and the integer + 1 
whenever it contains n. Assume (for the sake of contradiction) that S is not the set of 
all positive integers. Therefore, there are some positive integers not contained in S. By 
the well-ordering property, because the set of positive integers not contained in S is 
nonempty, there is a least positive integer that is not in S. Note that n # 1, because 1 
isin S. 

Now, because n > 1 (as there is no positive integer n with n < 1), the integer n — 1 
is a positive integer smaller than n, and hence must be in S. But because S contains 
n — 1, it must also contain (mn — 1) + 1 =2, which is a contradiction, as n is supposedly 
the smallest positive integer not in S. This shows that S must be the set of all positive 
integers. 2 


A slight variant of the principle of mathematical induction is also sometimes useful 
in proofs. 


Theorem 1.6. The Second Principle of Mathematical Induction. A set of positive 
integers that contains the integer 1, and that has the property that, for every positive 
integer n, if it contains all the positive integers 1, 2,...,m, then it also contains the 
integer n + 1, must be the set of all positive integers. 


The second principle of mathematical induction is sometimes called strong induc- 
tion to distinguish it from the principle of mathematical induction, which is also called 
weak induction. 


Before proving that the second principle of mathematical induction is valid, we will 
give an example to illustrate its use. 


Example 1.24. We will show that any amount of postage more than one cent can be 
formed using just two-cent and three-cent stamps. For the basis step, note that postage 
of two cents can be formed using one two-cent stamp and postage of three cents can be 
formed using one three-cent stamp. 


For the inductive step, assume that every amount of postage not exceeding n cents, 
n > 3, can be formed using two-cent and three-cent stamps. Then a postage amount of 
n+ 1 cents can be formed by taking stamps of nm — 1 cents together with a two-cent 
stamp. This completes the proof. < 
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We will now show that the second principle of mathematical induction is a valid 
technique. 


Proof. Let T be aset of integers containing 1 and such that for every positive integer n, 
if it contains 1, 2,...,, it also contains n + 1. Let S be the set of all positive integers 
n such that all the positive integers less than or equal to n are in T. Then 1 is in S, and 
by the hypotheses, we see that if n is in S, then n + 1 is in §. Hence, by the principle 
of mathematical induction, S must be the set of all positive integers, so clearly T is also 
the set of all positive integers, because S is a subset of T. | 


Recursive Definitions 


The principle of mathematical induction provides a method for defining the values of 
functions at positive integers. Instead of explicitly specifying the value of the function 
at n, we give the value of the function at 1 and give a rule for finding, for each positive 
integer n, the value of the function at n + 1 from the value of the function at n. 


Definition. We say that the function f is defined recursively if the value of f at 1 is 
specified and if for each positive integer n a rule is provided for determining f (n + 1) 
from f(n). 


The principle of mathematical induction can be used to show that a function that is 
defined recursively is defined uniquely at each positive integer (see Exercise 25 at the 
end of this section). We illustrate how to define a function recursively with the following 
definition. 


Example 1.25. We will recursively define the factorial function f (n) = n!. First, we 
specify that 
f@=1. 
Then we give a rule for finding f(n + 1) from f(n) for each positive integer, namely, 
fat+t)=@+))- fm). 
These two statements uniquely define n! for the set of positive integers. 


To find the value of f (6) = 6! from the recursive definition, use the second property 
successively, as follows: 


f (6) =6- f(5) =6-5- f(4)=6-5-4- f(3)=6-5-4-3- f(2)=6-5-4-3-2- f(I). 


Then use the first statement of the definition to replace f (1) by its stated value 1, to 
conclude that 


6!=6-5-4-3-2-1=720. < 


The second principle of mathematical induction also serves as a basis for recursive 
definitions. We can define a function whose domain is the set of positive integers by 
specifying its value at 1 and giving a rule, for each positive integer n, for finding f(n) 


1.3 
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from the values f(j) for each integer j with 1 < j <n — 1. This will be the basis for the 
definition of the sequence of Fibonacci numbers discussed in Section 1.4. 


EXERCISES 


1. Use mathematical induction to prove that n < 2” whenever n is a positive integer. 


. Conjecture a formula for the sum of the first n even positive integers. Prove your result using 


mathematical induction. 


. Use mathematical induction to prove that }°)_, w=ttateect 2 a2 1 whenever 


k? 2 


n iS a positive integer. 


. Conjecture a formula for )°7_, : a + x3 +--+-+—1_ from the value of this sum 


kD — nn+t) 
for small integers n. Prove that your conjecture is correct using mathematical induction. 


(Compare this to Exercise 17 in Section 1.2.) 


. Conjecture a formula for A” where A = ( : ) . Prove your conjecture using mathematical 
induction. 
. Use mathematical induction to prove that ae J =1424+34+---+n=n(n+ 1)/2 for 


every positive integer n. (Compare this to Example 1.19 in Section 1.2.) 


. Use mathematical induction to prove that }%_)j?=P?+243+4---+n?= 


n(n + 1)(2n + 1)/6 for every positive integer n. 


. Use mathematical induction to prove that })_,P=P+2+34+---+n?= 


[n(n + 1)/2]* for every positive integer n. 


9. Use mathematical induction to prove that Be JG+t)=1-24+2-34+---+4+n- 

(n + 1) =n(n + 1)(m + 2)/3 for every positive integer n. 

10. Use mathematical induction to prove that )°_j(— 1J-1j2 = 12 —~ 2? + 32 —..- + 
(—1)""!n? = (—1)""'n(n + 1)/2 for every positive integer n. 

11. Find a formula for []-_, 2/. 

12. Show that weil -jl=1-1!42-2!4---+n-n!=(n+ 1)! — 1 for every positive inte- 
gern. 

13. Show that any amount of postage that is an integer number of cents greater than 11 cents can 


14. 


be formed using just 4-cent and 5-cent stamps. 


Show that any amount of postage that is an integer number of cents greater than 53 cents can 
be formed using just 7-cent and 10-cent stamps. 


Let H,, be the nth partial sum of the harmonic series, that is, H,, = ey 1/j. 


* 15. 
* 16. 
17. 
18. 


Use mathematical induction to show that Hy, > 1+ 7/2. 
Use mathematical induction to show that Hy, < 1+n. 
Show by mathematical induction that if n is a positive integer, then (2n)! < 22"(n!)?. 


Use mathematical induction to prove that x — y is a factor of x” — y”, where x and y are 
variables. 
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> 19. Use the principle of mathematical induction to show that a set of integers that contains the 


20. 
21. 
22. 
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24. 


integer k, such that this set contains n + 1 whenever it contains n, contains the set of integers 
that are greater than or equal to k. 


Use mathematical induction to prove that 2” < n!forn > 4. 
Use mathematical induction to prove that n? < n! for n > 4. 


Show by mathematical induction that if h > —1, then 1+ nh < (1+ h)" for all nonnegative 
integers n. 


A jigsaw puzzle is solved by putting its pieces together in the correct way. Show that exactly 
n — 1 moves are required to solve a jigsaw puzzle with n pieces, where a move consists of 
putting together two blocks of pieces, with a block consisting of one or more assembled 
pieces. (Hint: Use the second principle of mathematical induction.) 


Explain what is wrong with the following proof by mathematical induction that all horses are 
the same color: Clearly all horses in any set of 1 horse are all the same color. This completes 
the basis step. Now assume that all horses in any set of n horses are the same color. Consider 
a set of n + 1 horses, labeled with the integers 1, 2, ..., + 1. By the induction hypothesis, 
horses 1, 2, ..., m are all the same color, as are horses 2, 3,..., 7, 1 + 1. Because these two 
sets of horses have common members, namely, horses 2, 3, 4,..., , all m + 1 horses must 
be the same color. This completes the induction argument. 


Use the principle of mathematical induction to show that the value at each positive integer of 
a function defined recursively is uniquely determined. 


What function f(m) is defined recursively by f(1) =2 and f(n+ 1) =2f(n) forn > 1? 
Prove your answer using mathematical induction. 


If g is defined recursively by g(1) = 2 and g(n) = 28—» for n > 2, what is 9(4)? 


Use the second principle of mathematical induction to show that if f(1) is specified and a 
rule for finding f(m + 1) from the values of f at the first n positive integers is given, then 
f (n) is uniquely determined for every positive integer n. 


We define a function recursively for all positive integers n by f(1)=1, f(2) =S, and 
forn > 2, f(n+1) = f(@) +2f(a — 1). Show that f(n) = 2” + (—1)", using the second 
principle of mathematical induction. 


Show that 2” > n? whenever n is an integer greater than 4. 


Supposethat ay = 1, a, = 3, ay = 9, anda, =a, _; + a,_2 + 4,_3forn > 3. Showthata, < 3” 
for every nonnegative integer n. 


The tower of Hanoi was a popular puzzle of the late nineteenth century. The puzzle includes 

three pegs and eight rings of different sizes placed in order of size, with the largest on the 

bottom, on one of the pegs. The goal of the puzzle is to move all of the rings, one at a time, 
without ever placing a larger ring on top of a smaller ring, from the first peg to the second, 
using the third as an auxiliary peg. 

a) Use mathematical induction to show that the minimum number of moves to transfer n 
rings from one peg to another, with the rules we have described, is 2” — 1. 

b) An ancient legend tells of the monks in a tower with 64 gold rings and 3 diamond pegs. 
They started moving the rings, one move per second, when the world was created. When 
they finish transferring the rings to the second peg, the world will end. How long will the 
world last? 


* 


* 


33. 


35. 


36. 
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The arithmetic mean and the geometric mean of the positive real numbers aj, az, .. . , Ay 
are A = (a; +a) +---+a,)/n and G = (aja) ---a,)'/", respectively. Use mathematical 
induction to prove that A > G for every finite sequence of positive real numbers. When does 
equality hold? 


. Use mathematical induction to show that a 2” x 2” chessboard with one square missing can 


be covered with L-shaped pieces, where each L-shaped piece covers three squares. 


A unit fraction is a fraction of the form 1/n, where n is a positive integer. Because the 
ancient Egyptians represented fractions as sums of distinct unit fractions, such sums are called 
Egyptian fractions. Show that every rational number p/q, where p and q are integers with 
0 < p <q, can be written as a sum of distinct unit fractions, that is, as an Egyptian fraction. 
(Hint: Use strong induction on the numerator p to show that the greedy algorithm that adds 
the largest possible unit fraction at each stage always terminates. For example, running this 
algorithm shows that 5/7 = 1/2 + 1/5 + 1/70.) 


Using the algorithm in Exercise 35, write each of these numbers as Egyptian fractions. 
a) 2/3 b) 5/8 c) 11/17 d) 44/101 


Computations and Explorations 


1. 


Complete the basis and inductive steps, using both numerical and symbolic computation, to 
prove that iat j =n(n + 1)/2 for all positive integers n. 


. Complete the basis and inductive steps, using both numerical and symbolic computation, to 


prove that iat fj? =n(n + 1)(2n + 1)/6 for all positive integers n. 


. Complete the basis and inductive steps, using both numerical and symbolic computation, to 


prove that )°_, j? = (n(n + 1)/2)? for all positive integers n. 


. Use the values si j* forn = 1, 2, 3, 4, 5, 6 to conjecture a formula for this sum that is a 


polynomial of degree 5 in n. Attempt to prove your conjecture via mathematical induction 
using numerical and symbolic computation. 


. Paul Erdés and E. Strauss have conjectured that the fraction 4/n can be written as the sum 


of three unit fractions, that is, 4/n = 1/x + 1/y + 1/z, where x, y, and z are distinct positive 
integers for all integers n with n > 1. Find such representation for as many positive integers 
n as you can. 


. It is conjectured that the rational number p/g, where p and q are integers with 0 < p <q 


and q is odd, can be expressed as an Egyptian fraction that is the sum of unit fractions 
with odd denominators. Explore this conjecture using the greedy algorithm that successively 
adds the unit fraction with the least positive odd denominator q at each stage. (For example, 
2/7 = 1/5 + 1/13 + 1/115 + 1/10, 465.) 


Programming Projects 


1. 


2. 


List the moves in the tower of Hanoi puzzle (see Exercise 32). If you can, animate these 
moves. 


Cover a 2” x 2” chessboard that is missing one square using L-shaped pieces (see Exercise 
34). 
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. Given a rational number p/g, express p/q as an Egyptian fraction using the algorithm 


descnbed in Exercise 35. 


The Fibonacci Numbers 


In his book Liber Abaci, written in 1202, the mathematician Fibonacci posed a problem 
conceming the growth of the number of rabbits in a certain area. This problem can be 
phrased as follows: A young pair of rabbits, one of each sex, is placed on an island. 
Assuming that rabbits do not breed until they are two months old and after they are two 
months old, each pair of rabbits produces another pair each month, how many pairs are 
there after n months? 


Let f, be the number of pairs of rabbits after n months. We have f, = 1 because 
only the original pair is on the island after one month. As this pair does not breed during 
the second month, f, = 1. To find the number of pairs after n months, add the number 
on the island the previous month, f,_;, to the number of newborn pairs, which equals 
Jn—2, because each newborn pair comes from a pair at least two months old. This leads 
to the following definition. 


Definition. The Fibonacci sequence is defined recursively by f;= 1, f. =1, and 
Sn =JSn—-1 + Sn—2 for n > 3. The terms of this sequenceare called the Fibonacci numbers. 


The mathematician Edouard Lucas named this sequence after Fibonacci in the 
nineteenth century when he established many of its properties. The answer to Fibonacci’s 
question is that there are f, rabbits on the island after n months. 


Examining the initial terms of the Fibonacci sequence will be useful as we study 
their properties. 


Example 1.26. We compute the first ten Fibonacci numbers as follows: 


diophantine equations. 


FIBONACCI (c. 1180-1228) (short for filus Bonacci, son of Bonacci), also 
lanown as Leonardo of Pisa, was bor in the Italian commercial center of Pisa. 
Fibonacci was a merchant who traveled extensively throughout the Mideast, 
where he came into contact with mathematical works from the Arabic world. 
In bis Liber Abaci Fibonacci introduced Arabic notation for numerals and their 
algorithms for arithmetic into the European world. It was in this book that his 
famous rabbit problem appeared. Fibonacci also wrote Practica geometriae, 
a treatise on geometry and trigonometry, and Liber quadratorum, a book on 
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fh=ht+f=14+1=2, 

Sa = fat+ fo=24+153, 

fs = fat fp=34+255, 

fe=f5+ fa=5+3=8, 

fi =fet+ fs=8+5=13, 

fa=f7+ fe = 134+ 8=21, 

fo = fa t+ fp =21+4+ 13= 34, 

fio = fot fg =34+21=55. < 


We can define the value of fp = 0, so that f, = f; + fo. We can also define f,, where 
n is a negative number so that the equality in the recursive definition is satisfied (see 
Exercise 37). 


The Fibonacci numbers occur in an amazing variety of applications. For example, 
in botany the number of spirals in plants with a pattern known as phyllotaxis is always 
a Fibonacci number. They occur in the solution of a tremendous variety of counting 
problems, such as counting the number of bit strings with no two consecutive 1s (see 
[Ro07)). 


The Fibonacci numbers also satisfy an extremely large number of identities. For 
example, we can easily find an identity for the sum of the first n consecutive Fibonacci 
numbers. 


Example 1.27. The sum of the first n Fibonacci numbers for 3 < n < 8 equals 1, 2, 4, 
7, 12, 20, 33, and 54. Looking at these numbers, we see that they are all just 1 less than 
the Fibonacci number f,, 2. This leads us to the conjecture that 


> f= Saga — 1. 


k=1 
Can we prove this identity for all positive integers n? 


We will show, in two different ways, that this identity does hold for all integers n. 
We provide two different demonstrations, to show that there is often more than one way 
to prove that an identity is true. 


First, we use the fact that f, = f,-1 + fr_2 for n =2, 3,... to see that f, = 
S42 — fxs for k = 1, 2, 3, .... This means that 


>> fe =) esa — Sea: 
k=1 k=1 


We can easily evaluate this sum because it is telescoping. Using the formula for a 
telescoping sum found in Section 1.2, we have 


PD Se = fn42- fo = fn42- 1. 


k=1 
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This proves the result. 


We can also prove this identity using mathematical induction. The basis step holds 
because 4 fx = 1 and this equals f,,. —1= f,; -1=2-—1=1. The inductive 
hypothesis is 


Yo fe = fant — 1. 


k=1 
We must show that, under this assumption, 


n+1 


> f= Sata — 1. 


k=1 


To prove this, note that by the inductive hypothesis we have 


n+1 n 
se 2 fe) Sofi 


=(fn42-D+ fag 
= (fatit fn42) -1 
= Ina 1 < 


The exercise set at the end of this section asks you to prove many other identities of 
the Fibonacci numbers. 


How Fast Do the Fibonacci Numbers Grow? 
The following inequality, which shows that the Fibonacci numbers grow faster than a 


geometric series with common ratio a = (1+ /5)/2, will be used in Chapter 3. 


Example 1.28. We can use the second principle of mathematical induction to prove 
that f, > a”"—? forn > 3 where a = (1+ s/5) /2. The basis step consists of verifying this 
inequality for n = 3 and n = 4. We have a < 2 = f3, so the theorem is true for n = 3. 
Because a” = (3 + /5)/2 <3 = fy, the theorem is true forn = 4. 


The inductive hypothesis consists of assuming that w*~? < f; for all integers k with 
k <n. Because a = (1+ V5) /2 is a solution of x2 — x —1=0, we havea* =a +1. 
Hence, 


a1 = gg" 3 = 41)-a"F =a"? 40", 
By the inductive hypothesis, we have the inequalities 
ef. ote pee 
By adding these two inequalities, we conclude that 
atl fat frit = fatt 
This finishes the proof. < 


1.4 
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We conclude this section with an explicit formula for the nth Fibonacci number. We 
will not provide a proof in the text, but Exercises 41 and 42 at the end of this section 
outline how this formula can be found using linear homogeneous recurrence relations 
and generating functions, respectively. Furthermore, Exercise 40 asks that you prove this 
identity by showing that the terms satisfy the same recursive definition as the Fibonacci 
numbers do, and Exercise 45 asks for a proof via mathematical induction. The advantage 
of the first two approaches is that they can be used to find the formula, while the second 
two approaches cannot. 


Theorem 1.7. Let n be a positive integer and let a = Levis and B = ed Then the 
nth Fibonacci number f, is given by 


1 
= —(a” — B"). 
tr ¥s 
We have presented a few important results involving the Fibonacci numbers. There 
is a vast literature concerning these numbers and their many applications to botany, 
computer science, geography, physics, and other areas (see [Va89]). There is even a 
scholarly journal, The Fibonacci Quarterly, devoted to their study. 


EXERCISES 


. Find the following Fibonacci numbers. 


a) fio c) fis ©) fro 
b) fis d) fig f) fos 
. Find each of the following Fibonacci numbers. 
a) fi2 c) fr e) fro 
b) fie d) f30 f) fre 


. Prove that f,43 + fn =2fn+2 whenever n is a positive integer. 

. Prove that f,.3 — fn =2fn41 whenever n is a positive integer. 

. Prove that fo, = i + 2 fn—-1f_ Whenever n is a positive integer. (Recall that fp = 0.) 

» Prove that fnz-2 + fn42 =3/, whenever n is an integer with n > 2. (Recall that fo =0.) 

. Find and prove asimple formula for the sum of the first n Fibonacci numbers with odd indices 


when n is a positive integer. That is, find a simple formula for fj + f3 +---+ fo,-1- 


Find and prove a simple formula for the sum of the first n Fibonacci numbers with even 
indices when n is a positive integer. That is, find a simple formula for fy, + f4 +-++++ fon: 


. Find and prove a simple formula for the expression f, — fr—-1+ fr—-2— °° + (- prt! f, 


when 7 is a positive integer. 


. Prove that fo,,1= f2,, + £2 whenever n is a positive integer. 


n+1 


. Prove that f., = f2,, — f2_, whenever n is a positive integer. (Recall that fy = 0.) 
- Prove that f, + fa-1t+ fr-2+2fp-3+4fp_a + 8fn—5 + +++ +2"-3 =2"-! whenever n is 


an integer with n > 3. 


. Prove that ye fy = fi + te i fe = fnfn+1 for every positive integer n. 
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14. 
15. 


16. 
17. 
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Prove that firoifn—1 — £ = (—1)” for every positive integer n. 
Prove that fisitn — Sr-1Sn-2 = Son_; for every positive integer n, n > 2. 
Prove that fi, fo + fof3t+-+-+ fon—-1fon = sea if n is a positive integer. 


Prove that finin = Sm Snsit Snfm—1 Whenever m and n are positive integers. 


The Lucas numbers, named after Francois-Eduoard-Anatole Lucas (see Chapter 7 for a biogra- 
phy), are defined recursively by 


L,=Lyitby-2, n= 3; 


with L, = 1 and Lz = 3. They satisfy the same recurrence relation as the Fibonacci numbers, but 
the two initial values are different. 


18. 
19. 
20. 


21. 


22. 
23. 
24. 


25. 


26. 


27. 


28. 


Find the first 12 Lucas numbers. 
Find and prove a formula for the sum of the first Lucas numbers when 7 is a positive integer. 


Find and prove a formula for the sum of the first n Lucas numbers with odd indices when n 
is a positive integer. 


Find and prove a formula for the sum of the first n Lucas numbers with even indices when n 
is a positive integer. 


Prove that ies — LytiL,-1 = 5(—1)" when n is an integer with n > 2. 
Prove that L? 5 is teeet L? = L,Lyj41 — 2 when n is an integer with n > 1. 


Show that the nth Lucas number L,, is the sum of the (m + 1)st and (nm — 1)st Fibonacci 
numbers, f,,; and f,_, respectively. 


Show that f, = f,L, for all integers n with n > 1, where f, is the nth Fibonacci number 
and L,, is the nth Lucas number. 


Prove that 5f,,; = L, + Lyj42 whenever n is a positive integer, f, is the nth Fibonacci 
number, and L,, is the nth Lucas number. 


Prove that Lyin = Sm+tln + fmLn—1 whenever m and n are positive integers with n > 1, f, 
is the nth Fibonacci number, and L,, is the nth Lucas number. 


Show that Z,,, the nth Lucas number, is given by 
L,= an” + B", 
where o = (1+ /5)/2 and 8 = (1— '5)/2. 


The Zeckendorf representation of a positive integer is the unique expression of this integer as the 
sum of distinct Fibonacci numbers, where no two of these Fibonacci numbers are consecutive 
terms in the Fibonacci sequence and where the term /, = 1 is not used (but the term f, = 1 may 
be used). 


29. 
30. 
31. 
32. 


Find the Zeckendorf representation of each of the integers 50, 85, 110, and 200. 
Show that every positive integer has a unique Zeckendorf representation. 


Show that f, < a”! for every integer n with n > 2, where a = (1+ V/5)/2. 


Show that 
n n—1 n—2 
+.--= 
(9a rte ka 0 hae 
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where n is anonnegative integer and f,,,; is the (n + 1)st Fibonacci number. (See Appendix B 
for a review of binomial coefficients. Here, the sum ends with the term (a) ) 
33. Prove that whenever n is a nonegative integer, )~“” C) fj = fon, where f; is the jth 


j=1 
Fibonacci number. 


34, Lett F= ( a Show that F” = es Pa ) whenn € Zt. 


n a1 

35. By taking determinants of both sides of the result of Exercise 34, prove the identity in 
Exercise 14. 

36. Define the generalized Fibonacci numbers recursively by g, = a, 82 = b, and g, = g,-,+ 
8,-2 for n > 3. Show that g, =af,_2 + bf,-; forn > 3. 

37. Give a recursive definition of the Fibonacci number f,, when 7 is a negative integer. Use your 
definition to find f,, form = —1, —2, —3,...,—10. 

38. Use the results of Exercise 37 to formulate a conjecture that relates the values of f_,, and f, 
when 7 is a positive integer. Prove this conjecture using mathematical induction. 


39. What is wrong with the claim that an 8 x 8 square can be broken into pieces that can be 
reassembled to form a 5 x 13 rectangle as shown? 


(Hint: Look at the identity in Exercise 14. Where is the extra square unit?) 


40. Show that if a, = Sz (a — B”), where a = (1+ /5)/2 and B = (1— J75)/2, then a, = 
An—1 + An—2 and a, = ay = 1. Conclude that f, =a,, where f,, is the nth Fibonacci number. 


A linear homogeneous recurrence relation of degree 2 with constant coefficients is an equation 
of the form 
Ay = CjAn_1 + C2Qn_2, 


where c, and cy» are real numbers with cz # 0. It is not difficult to show (see [Ro07]) that if the 
equation r? — cyr — c) = 0 has two distinct roots r; and r2, then the sequence {a,} is a solution of 
the linear homogeneous recurrence relation a, = cya, + C2@,_ if and only ifa, = Cyr? + CorZ 
forn = 0, 1, 2, ..., where C, and C, are constants. The values of these constants can be found 
using the two initial terms of the sequence. 


41. Find an explicit formula for f,, proving Theorem 1.7, by solving the recurrence relation 
Sn = Sn-1 + Sn—z2 for n = 2, 3,... with initial conditions fp = 0 and f, = 1. 


The generating function for the sequence ao, aj, ..., ay, . .. is the infinite series 


G(x) = 2 a,x". 


k=0 
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43. 
44, 
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Use the generating function G(x) = pare f,.x* where fy, is the kth Fibonacci number to find 
an explicit formula for f,, proving Theorem 1.7. (Hint: Use the fact that f, = fx_1 + Se_2 
for k = 2, 3, ... to show that G(x) — xG(x) — x2G(x) = x. Solve this to show that G(x) = 
x/(1—x — x”) and then write G(x) in terms of partial fractions, as is done in calculus.) (See 
[Ro07] for information on using generating functions.) 


Find an explicit formula for the Lucas numbers using the technique of Exercise 41. 
Find an explicit formula for the Lucas numbers using the technique of Exercise 42. 


Use mathematical induction to prove Theorem 1.7. 


Computations and Explorations 


1. Find the Fibonacci numbers fi99, foo9, and fsop- 


2. Find the Lucas numbers Ljo9, L299, and Lo. 


. Examine as many Fibonacci numbers as possible to determine which are perfect squares. 


Formulate a conjecture based on your evidence. 


. Examine as many Fibonacci numbers as possible to determine which are triangular numbers. 


Formulate a conjecture based on your evidence. 


. Examine as many Fibonacci numbers as possible to determine which are perfect cubes. 


Formulate a conjecture based on your evidence. 


. Find the largest Fibonacci number less than 10,000, less than 100,000, and less than 


1,000,000. 


. A surprising theorem states that the Fibonacci numbers are the positive values of the polyno- 


mial 2xy* + x2y3 — 2x3 y? — y5 — x4y + 2y as x and y range over all nonnegative integers. 
Verify this conjecture for the values of x and y where x and y are nonnegative integers with 
x+y < 100. 


Programming Projects 


1. 
2. 
3. 


1.5 


Given a positive integer n, find the first n terms of the Fibonacci sequence. 
Given a positive integer n, find the first n terms of the Lucas sequence. 


Give a positive integer n, find its Zeckendorf representation (defined in the preamble to 
Exercise 29). 


Divisibility 
The concept of the divisibility of one integer by another is central in number theory. 
Definition. Ifa and b are integers with a 4 0, we say that a divides b if there is an 


integer c such that b = ac. If a divides b, we also say that a is a divisor or factor of b 
and that b is a multiple of a. 
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If a divides b we write a | b, and if a does not divide b we write a ¥ b. (Be careful 
not to confuse the notations a | b, which denotes that a divides b, and a/b, which is the 
quotient obtained when a is divided by b.) 


Example 1.29. The following statements illustrate the concept of the divisibility of 
integers: 13 | 182, —5 | 30, 17 | 289, 6 ¥ 44, 7 4 50, —3 | 33, and 17 | 0. < 


Example 1.30. The divisors of 6 are +1, +2, +3, +6. The divisors of 17 are +1, +17. 
The divisors of 100 are +1, +2, +4, +5, +10, +20, 425, +50, +100. < 


In subsequent chapters, we will need some simple properties of divisibility, which 
we now State and prove. 
Theorem 1.8. Ifa, b, and c are integers with a | b and b|c, thena|c. 
Proof. Because a | b and b | c, there are integers e and f such that ae = b andbf =c. 
Hence, c = bf = (ae) f =a(ef), and we conclude that a | c. = 


Example 1.31. Because 11 | 66 and 66 | 198, Theorem 1.8 tells us that 11|198. < 


Theorem 1.9. If a,b, m, and n are integers, and if c | a and c | b, then c | (ma + nb). 


Proof. Because c | a and c | b, there are integers e and f such thata = ce andb=cf. 
Hence, ma + nb = mce + ncf = c(me + nf). Consequently, we see that c | (ma + nb). 
a 


Example 1.32. As 3 | 21 and 3 | 33, Theorem 1.9 tells us that 3 divides 
5-21—3-33=105— 99=6. < 


The following theorem states an important fact about division. 


Theorem 1.10. The Division Algorithm. If a and b are integers such that b > 0, then 
there are unique integers g andr such thata = bq +r withO <r <b. 7 


In the equation given in the division algorithm, we call q the quotient and r the 
remainder. We also call a the dividend and b the divisor. (Note: We use the traditional 
name for this theorem even though the division algorithm is not actually an algorithm. 
We discuss algorithms in Section 2.2.) 


We note that a is divisible by b if and only if the remainder in the division algorithm 


is 0. Before we prove the division algorithm, consider the following examples. 


Example 1.33. Ifa = 133 and b = 21, then gq = 6 andr = 7, because 133 = 21-6+7 
and 0 < 7 < 21. Likewise, if a = —S0O and b= 8, then q = —7 and r = 6, because 
—50 = 8(—7) + 6 and 0 < 6 < 8. > 


We now prove the division algorithm using the well-ordering property. 
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Proof. Consider the set S of all integers of the form a — bk where k is an integer, that 
is, S = {a — bk | k € Z}. Let T be the set of all nonnegative integers in S. T is nonempty, 
because a — bk is positive whenever k is an integer with k < a/b. 


By the well-ordering property, T has a least element r = a — bq. (These are the 
values for q and r specified in the theorem.) We know that r > 0 by construction, and 
it is easy to see thatr <b. Ifr >b, thenr >r —b=a—bq —b=a-— b(q +1) =0, 
which contradicts the choice of r = a — bq as the least nonnegative integer of the form 
a — bk. Hence, 0 <r <b. 


To show that these values for g and r are unique, assume that we have two equations 
a=bq,+r,anda = bq) + ro, withO < r; < band0O <7r, < b. By subtracting the second 
of these equations from the first, we find that 


0 = b(qi — go) + (11 — 7). 
Hence, we see that 
ro — 11 = b(Q1 — 9). 


This tells us that b divides r, — r,;. Because 0 < r; < b and 0 < ry < b, we have —b < 
ry — 1, < b. Hence, b can divide r, — r, only if r. — r,; = 0 or, in other words, if 7) = rp. 
Because bq; +r; = bqz +r and r; = 79, we also see that g; = q2. This shows that the 
quotient g and the remainder r are unique. 7 


We now use the greatest integer function (defined in Section 1.1) to give explicit 
formulas for the quotient and remainder in the division algorithm. Because the quotient 
q is the largest integer such that bg < a, andr =a — bq, it follows that 


(1.4) q=[a/b], r=a-—bfa/b]. 


The following examples display the quotient and remainder of a division. 


Example 1.34. Let a = 1028 and b= 34. Then a= bg +r with 0 <r <b, where 
q = [1028/34] = 30 and r = 1028 — [1028/34] - 34 = 1028 — 30 -34= 8. < 


Example 1.35. Let a = —380 and b= 75. Then a= bg +r with 0 <r <b, where 
q = [-380/75] = —6 and r = —380 — [—380/75] - 75 = —380 — (—6)75 = 70. < 


We can use Equation (1.4) to prove a useful property of the greatest integer function. 


Example 1.36. Show that if n is a positive integer, then [x/n] = [[x]/n] whenever x 
is areal number. To prove this identity, suppose that [x] = m. By the division algorithm, 
we have integers g andr such that m = nq +r, where 0 <r <n — 1. By Equation (1.4), 
we have g = [[x]/n]. Because [x] < x < [x]+ 1, it follows that x = [x] + €, where 
0 <e <1. We see that [x/n] = [([x] + €)/n] = [(m + €)/n] = [(nqg +r) + €)/n] = 
[q+ (r + €)/n]. Because 0 < € < 1, we have O<r+e <(n—1)+1=n7. It follows 
that [x /n] = [q]. 4 


Given a positive integer d, we can classify integers according to their remainders 
when divided by d. For example, with d = 2, we see from the division algorithm that 


1.5 Divisibility 39 


every integer when divided by 2 leaves a remainder of either 0 or 1. This leads to the 
following definition of some common terminology. 


Definition. If the remainder when n is divided by 2 is 0, then n = 2k for some integer 
k, and we say that n is even, whereas if the remainder when n is divided by 2 is 1, then 
n = 2k + 1 for some integer k, and we say that n is odd. 


Similarly, when d = 4, we see from the division algorithm that when an integer n 
is divided by 4, the remainder is either 0, 1, 2, or 3. Hence, every integer is of the form 
4k, 4k + 1, 4k + 2, or 4k + 3, where k is a positive integer. 


We will pursue these matters further in Chapter 4. 


Greatest Common Divisors 


If a and b are integers, not both 0, then the set of common divisors of a and b is a finite 
set of integers, always containing the integers +1 and —1. We are interested in the largest 
integer among the common divisors of the two integers. 


Definition. The gveatest common divisor of two integers a and b, which are not both 
O, is the largest integer that divides both a and b. 


The greatest common divisor of a and b is written as (a, b). (Note that the notation 
gcd(a, b) is also used, especially outside of number theory. We will use the traditional 
notation (a, b) here, even though it is the same notation used for ordered pairs.) Note that 
(0, n) = (n, 0) =n whenever n is a positive integer. Even though every positive integer 
divides 0, we define (0, 0) = 0. This is done to ensure that the results we prove about 
greatest common divisors hold in all cases. 


Example 1.37. The common divisors of 24 and 84 are +1, +2, +3, +4, +6, and 
+12. Hence, (24, 84) = 12. Similarly, looking at sets of common divisors, we find 
that (15, 81) = 3, (100, 5) =5, (17, 25) = 1, (0, 44) = 44, (-6, —15) =3, and 
(—17, 289) = 17. < 


We are particularly interested in pairs of integers sharing no common divisors greater 
than 1. Such pairs of integers are called relatively prime. 


Definition. The integers a and b, with a 4 0 and b £ 0, are relatively prime if a and b 
have greatest common divisor (a, b) = 1. 


Example 1.38. Because (25, 42) = 1, 25 and 42 are relatively prime. < 


We will study greatest common divisors at length in Chapter 4. In that chapter, we 
will give an algorithm for computing greatest common divisors. We will also prove many 
important results about them that lead to key theorems in number theory. 
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EXERCISES 


. Show that 3 | 99, 5| 145, 7 | 343, and 888 | 0. 


2. Show that 1001 is divisible by 7, by 11, and by 13. 


. Decide which of the following integers are divisible by 7. 


a) 0 c) 1717 e) —285,714 
b) 707 d) 123,321 f) —430,597 
. Decide which of the following integers are divisible by 22. 
a) 0 c) 1716 e) —32,516 
b) 444 d) 192,544 f) —195,518 


. Find the quotient and remainder in the division algorithm, with divisor 17 and dividend 


a) 100. b) 289. c) —44. d) —100. 


. Find all positive integers that divide each of these integers. 


a) 12 b) 22 c) 37 d) 41 


. Find all positive integers that divide each of these integers. 


a) 13 b) 21 c) 36 d) 44 


. Find these greatest common divisors by finding all positive integers that divide each integer 


in the pair and selecting the largest that divides both. 
a) (8, 12) b) (7, 9) c) (15, 25) d) (16, 27) 


. Find these greatest common divisors by finding all positive integers that divide each integer 


in the pair and selecting the largest that divides both. 
a) (11, 22) b) (36, 42) c) (21, 22) d) (16, 64) 


. Find all positive integers less than 10 that are relatively prime to it. 

. Find all positive integers less than 11 that are relatively prime to it. 

. Find all pairs of positive integers not exceeding 10 that are relatively prime. 

. Find all pairs of positive integers between 10 and 20, inclusive, that are relatively prime. 
. What can you conclude if a and b are nonzero integers such that a | b and b | a? 


. Show that if a, b, c, and d are integers with a and c nonzero, such that a | b and c | d, then 


ac | bd. 


. Are there integers a , b, and c such that a | bc, buta J banda J c? 

. Show that if a, b, and c 4 0 are integers, then a | b if and only if ac | bc. 

. Show that if a and b are positive integers and a | b, thena <b. 

. Show that if a and b are integers such that a | b, then a* | b* for every positive integer k. 


. Show that the sum of two even or of two odd integers is even, whereas the sum of an odd and 


an even integer is odd. 


. Show that the product of two odd integers is odd, whereas the product of two integers is even 


if either of the integers is even. 


. Show that if a and b are odd positive integers and b / a, then there are integers s and t such 


that a = bs + t, where t is odd and | t |< b. 


23. 


24. 


25. 


26. 


27. 


28. 
29. 


30. 


31. 
32. 
33. 
34. 
35. 


36. 
37. 


38. 
39. 
40. 
41. 
42. 
43. 
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When the integer a is divided by the integer b, where b > 0, the division algorithm gives a 
quotient of g and a remainder of 7. Show that if b a, when —a is divided by b, the division 
algorithm gives a quotient of —(q + 1) and aremainder of b — r, whereas if b | a, the quotient 
is —q and the remainder is 0. 


Show that if a, b, and c are integers with b > 0 and c > 0, such that when a is divided by b 

the quotient is g and the remainder is 7, and when q is divided by c the quotient is t and the 

remainder is s, then when a is divided by be, the quotient is ¢t and the remainder is bs + r. 

a) Extend the division algorithm by allowing negative divisors. In particular, show that 
whenever a and b ¥ 0 are integers, there are unique integers g andr such thata = bq +r, 
where 0 <r <| bd]. 

b) Find the remainder when 17 is divided by —7. 


Show that if a and b are positive integers, then there are unique integers q and r such that 
a=bq +r, where —b/2 <r < b/2. This result is called the modified division algorithm. 


Show that if m and n > 0 are integers, then 


E te _ | [=] if m 4 kn — 1 for some integer k; 


n [=] +1 ifm =kn — 1 for some integer k. 


Show that the integer n is even if and only if n — 2[n/2]= 0. 


Show that the number of positive integers less than or equal to x, where x is a positive real 
number, that are divisible by the positive integer d equals [x /d]. 


Find the number of positive integers not exceeding 1000 that are divisible by 5, by 25, by 
125, and by 625. 


How many integers between 100 and 1000 are divisible by 7? by 49? 

Find the number of positive integers not exceeding 1000 that are not divisible by 3 or 5. 
Find the number of positive integers not exceeding 1000 that are not divisible by 3, 5, or 7. 
Find the number of positive integers not exceeding 1000 that are divisible by 3 but not by 4. 


In early 2010, to mail a first-class letter in the United States of America it cost 44 cents for 
the first ounce and 17 cents for each additional ounce or fraction thereof. Find a formula 
involving the greatest integer function for the cost of mailing a letter in early 2010. Could it 
possibly have cost $1.81 or $2.65 to mail a first-class letter in the United States of America 
in early 2010? 


Show that if a is an integer, then 3 divides a? — a. 


Show that the product of two integers of the form 4k + 1 is again of this form, whereas the 
product of two integers of the form 4k + 3 is of the form 4k + 1. 


Show that the square of every odd integer is of the form & + 1. 

Show that the fourth power of every odd integer is of the form 16k + 1. 

Show that the product of two integers of the form 6k + 5 is of the form 6k + 1. 

Show that the product of any three consecutive integers is divisible by 6. 

Use mathematical induction to show that n> — n is divisible by 5 for every positive integer n. 


Use mathematical induction to show that the sum of the cubes of three consecutive integers 
is divisible by 9. 
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In Exercises 44-48, let f,, denote the nth Fibonacci number. 

44. Show that f, is even if and only if n is divisible by 3. 

45. Show that f, is divisible by 3 if and only if 2 is divisible by 4. 
46. Show that f, is divisible by 4 if and only if n is divisible by 6. 


47. Show that f, =5f,-4 + 3,5 whenever x is a positive integer with n > 5. Use this result to 
show that f,, is divisible by 5 whenever n is divisible by 5. 


* 48. Show that fiim = Sndntit Sm—i1tn Whenever m and n are positive integers with m > 1. Use 
this result to show that f, | f,, when m and 7 are positive integers with n | m. 


© Let n be a positive integer. We define 


n/2 if n is even; 
(3n+1)/2 ifnis odd. 


We then form the sequence obtained by iterating T: n, T(n), T(T(n)), T(T(T())), 
.... For instance, starting with n =7, we have 7, 11, 17, 26, 13, 20, 10, 5, 8, 4, 2, 1, 2, 
1,2, 1,.... A well-known conjecture, sometimes called the Collatz conjecture, asserts that the 
sequence obtained by iterating T always reaches the integer 1 no matter which positive integer n 
begins the sequence. 


T(n) =| 


49. Find the sequence obtained by iterating T starting with n = 39. 


50. Show that the sequence obtained by iterating T starting with n = (27* — 1)/3, where kis a 
positive integer greater than 1, always reaches the integer 1. 
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Show that the Collatz conjecture is true if it can be shown that for every positive integer n 
with n > 2 there is a term in the sequence obtained by iterating T that is less than 7. 


52. Verify that there is a term in the sequence obtained by iterating 7, starting with the positive 
integer n, that is less than n for all positive integers n with 2 < n < 100. (Hint: Begin by 
considering sets of positive integers for which it is easy to show that this is tme.) 


* 53. Show that [(2 + \/3)"]is odd whenever n is a nonnegative integer. 


* 54. Determine the number of positive integers n such that [a/2] + [a/3] + [a/5]= a, where, as 
usual, [x] is the greatest integer function. 


55. Prove the divison algorithm using the second principle of mathematical induction. 


Computations and Explorations 


1. Find the quotient and remainder when 111,111,111,111 is divided by 987,654,321. 


2. Verify the Collatz conjecture described in the preamble to Exercise 49 for all integers 1 not 
exceeding 10,000. 


3. Using numerical evidence, what sort of conjectures can you make concerning the number of 
iterations needed before the sequence of iterations T (n) reaches 1, where n is a given positive 
integer? 


4. Using numerical evidence, make conjectures about the divisibility of Fibonacci numbers by 
7, by 8, by 9, by 11, and by 13. 
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Programming Projects 


. Decide whether an integer is divisible by a given integer. 
. Find the quotient and remainder in the division algorithm. 


. Find the quotient, remainder, and sign in the modified division algorithm given in Exercise 26. 


> WN = 


. Compute the terms of the sequence n, T(n), T(T (n)), T(T(T(n))), . . . for a given positive 
integer n, as defined in the preamble to Exercise 49. 
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2.1 


Integer Representations 
and Operations 


he way in which integers are represented has a major impact on how easily people 

and computers can do arithmetic with these integers. The purpose of this chapter is to 
explain how integers are represented using base b expansions, and how basic arithmetic 
operations can be carried out using these expansions. In particular, we will show that 
when b is a positive integer, every positive integer has a unique base b expansion. For 
example, when b is 10, we have the decimal expansion of an integer; when b is 2, we 
have the binary expansion of this integer; and when b is 16, we have the hexadecimal 
expansion. We will describe a procedure for finding the base b expansion of an integer, 
and describe the basic algorithms used to carry out integer arithmetic with base b 
expansions. Finally, after introducing big-O notation, we will analyze the computational 
complexity of these basic operations in terms of big-O estimates of the number of bit 
operations that they use. 


Representations of Integers 


In daily life, we use decimal notation to represent integers. We write out numbers using 
digits to represent powers of ten. For instance, when we write out the integer 37,465, we 
mean 


3-10°+7-10°+4-10°+6-10+5. 


Decimal notation is an example of a positional number system, in which the position 
a digit occupies in a representation determines the quantity it represents. Throughout 
ancient and modern history, many other notations for integers have been used. For 
example, Babylonian mathematicians who lived more than 3000 years ago expressed 
integers using sixty as a base. The Romans employed Roman numerals, which are used 
even today to represent years. The ancient Mayans used a positional notation with twenty 
as a base. Many other systems of integer notation have been invented and used over time. 


There is no special reason for using ten as the base in a fixed positional number 
system, other than that we have ten fingers. As we will see, any positive integer greater 
than | can be used as a base. With the invention and proliferation of computers, bases 
other than ten have become increasingly important. In particular, base 2, base 8, and base 
16 representations of integers are used extensively by computers for various purposes. 


In this section, we will demonstrate that no matter which positive integer b is chosen 
as a base, every positive integer can be expressed uniquely in base b notation. In Section 
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2.2, we will show how these expansions can be used to do arithmetic with integers. 
(See the exercise set at the end of this section to lear about one’s and two’s complement 
notations, which are used by computers to represent both positive and negative integers. ) 


For more information about the fascinating history of positional number systems, the 
reader is referred to [Or88] or [Kn97], where extensive surveys and numerous references 
may be found. 


We now show that every positive integer greater than 1 may be used as a base. 


Theorem 2.1. Let b be a positive integer with b > 1. Then every positive integer n can 
be written uniquely in the form 


n= a,b* + Gab? + e's + a,b + ag, 


where k is anonnegative integer, a i is an integer with O <a fe b—1forj =0,1,...,k, 
and the initial coefficient a, 4 0. 


Proof. We obtain an expression of the desired type by successively applying the division 
algorithm in the following way. We first divide n by b to obtain 


n=bqgt+a, O<aj,<b-1. 
If gg 4 0, we continue by dividing qo by D to find that 

gQo=bqit+a;, OK<a,<b-1. 
We continue this process to obtain 


q=bqg+a,, O<a<b-1, 
92 =bq3+a3, O<a,<b—1, 


G2 = gy; + 4-1, OSa1<b-1, 
n-1=b-0+ Q, O0<a,<b-1. 


The last step of the process occurs when a quotient of 0 is obtained. To see that we must 
reach such a step, first note that the sequence of quotients satisfies 


N>qQ>U>d>:::= 0. 


Because the sequence qo, q), 2, .. . is a decreasing sequence of nonnegative integers 
that continues as long as its terms are positive, there are at most gp terms in this sequence, 
and the last term equals 0. 


From the first equation above, we find that 
n = bqg + a. 
We next replace gg using the second equation, to obtain 


n = b(bq, + aj) + ag = b*q, + ayb + ap. 
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Successively substituting for qi, q2,.--, Gg—1, we have 


n= b°q> + ab” + a,b + ao, 


= Bq, 9 + ag_ob*? +--+ + ab + ap, 
= b¥ gy) + ag_yb* 1 +--+ + ayb + ag 
= a,b* + a,b" +---+a,;b+ao, 


where 0 <a;< b—1for j=0,1,...,k and a, #0, given that a, = qy_, is the last 
nonzero quotient. Consequently, we have found an expansion of the desired type. 


To see that the expansion is unique, assume that we have two such expansions equal 
to n, that is, 


n=a,bk + ay,_,b*! +---+a,;b+ao 
= c,b* + eb" Se ae cyb + Co; 


where 0 < a, < b and 0 < c, < b (and where, if necessary, we have added initial terms 
with zero coefficients to one of the expansions to have the number of terms agree). 
Subtracting one expansion from the other, we have 


(ay, — cy) b* + (ag_y — cy_1)b* | +--+ + (a, — cb + (ag — cp) = 0. 


If the two expansions are different, there is a smallest integer 7, 0 < j <k, such that 
a; #c;. Hence, 


bi ((ay —c,)be- J 4..-4 (4 j41— Cj41)b + (Gj - c;)) = 0, 
so that 
(a, — c, bi +--+ + (@j41-Cj4)b + GG; —c;) =0. 
Solving for a; — c;, we obtain 
aj —c; = (ce —a)b* I +++ + (Cj41 — jg. Db 
= b((cy — ay)beI! + + + jy — 540): 
Hence, we see that 


But because 0 < a;< band0 < cj < b, we know that —b < aj;—C;< b. Consequently, 
b\(a 7c) implies that a j = ¢;- This contradicts the assumption that the two expan- 
sions are different. We conclude that our base b expansion of n is unique. 7 


For b = 2, we see by Theorem 2.1 that the following corollary holds. 


Corollary 2.1.1. Every positive integer may be represented as the sum of distinct 
powers of 2. 2 
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Proof. Let n be a positive integer. From Theorem 2.1 with b = 2, we know that 
n = a,2* + ay_ 2k"! +--+ +2 + ap, where each a ; 1s either 0 or 1. Hence, every 
positive integer is the sum of distinct powers of 2. rT] 


In the expansions described in Theorem 2.1, b is called the base or radix of the 
expansion. We call base 10 notation, our conventional way of writing integers, decimal 
notation. Base 2 expansions are called binary expansions, base 8 expansions are called 
octal expansions, and base 16 expansions are called hexadecimal, or hex for short. The 
coefficients a; are called the digits of the expansion. Binary digits are called bits (binary 
digits) in computer terminology. 


To distinguish representations of integers with different bases, we use a special 
notation. We write (a,a;,_,.. . @jao), to represent the number a,b* + a,_,b¥-!+.---4+ 
a,b + ao- 


Example 2.1. To illustrate base b notation, note that (236)7 = 2 - P+3-74+6=125 
and (10010011), = 1-27+ 1-24+1-2!'4+1= 147. < 


The proof of Theorem 2.1 provides a method of finding the base b expansion 
(a, ay_1...@ do), Of any positive integer n. Specifically, to find the base b expansion 
of n, we first divide n by b. The remainder is the digit ag. Then, we divide the quotient 
[n/b] = qo by b. The remainder is the digit a,. We continue this process, successively 
dividing the quotient obtained by b, to obtain the digits in the base b expansion of n. 
The process stops once a quotient of O is obtained. In other words, to find the base b 
expansion of n, we perform the division algorithm repeatedly, replacing the dividend 
each time with the quotient, and stop when we come to a quotient that is 0. We then read 
up the list of remainders to find the base b expansion. We illustrate this procedure in 
Example 2.2. 


Example 2.2. To find the base 2 expansion of 1864, we use the division algorithm 
successively: 
1864 = 2 - 932 + 0, 
932 = 2 - 466 + 0, 
466 = 2 - 233 + 0, 


233 =2-116+1, 
116=2-58+0, 
58 =2-29+0, 
29=2-14+ 1, 
14=2-7+0, 
1=2-3+ 1, 
3=2-1+1, 
1=2-0+1. 


To obtain the base 2 expansion of 1864, we simply take the remainders of these divisions. 
This shows that (1864) 19 = (11101001000). < 
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Computers represent numbers internally by using a series of “switches” that may be 
either “on” or “off.” (This may be done electrically or mechanically, or by other means.) 
Hence, we have two possible states for each switch. We can use “on” to represent the 
digit 1 and “off” to represent the digit 0; this is why computers use binary expansions to 
represent integers internally. 


Computers use base 8 or base 16 for display purposes. In base 16 (hexadecimal) no- 
tation there are 16 digits, usually denoted by 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. 
The letters A, B, C, D, E, and F are used to represent the digits that correspond to 10, 11, 
12, 13, 14, and 15 (written in decimal notation). The following example demonstrates 
the conversion from hexadecimal to decimal notation. 


Example 2.3. Toconvert (A35BOF) 1. from hexadecimal to decimal notation, we write 


(A35BOF) 6 = 10- 16° +3-164+5-167+11-1674+0-164 15 
= (10705679) 0. < 


A simple conversion is possible between binary and hexadecimal notation. We can 
write each hex digit as a block of four binary digits according to the correspondences 
given in Table 2.1. 


Example 2.4. An example of conversion from hex to binary is (2FB3)j,¢= 
(10111110110011),. Each hex digit is converted to a block of four binary digits (the 
initial zeros in the initial block (0010) corresponding to the digit (2);¢ are omitted). 


To convert from binary to hex, consider (11110111101001),. We break this into 
blocks of four, starting from the right. The blocks are, from right to left, 1001, 1110, 
1101, and 0011 (with two initial zeros added). Translating each block to hex, we obtain 


(3DE9) 46. < 
Hex Binary Hex Binary 
Digit Digits Digit | Digits 

0 0000 8 1000 
1 0001 9 1001 
2 0010 A 1010 
3 0011 B 1011 
4 0100 Cc 1100 
5 0101 D 1101 
6 0110 E 1110 
7 0111 F 1111 


Table 2.1 Conversion from hex digits to blocks of binary digits. 
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We note that a conversion between two different bases is as easy as binary—hex 
conversion whenever one of the bases is a power of the other. 


EXERCISES 


. Convert (1999), from decimal to base 7 notation. Convert (6105), from base 7 to decimal 


notation. 


. Convert (89156); from decimal to base 8 notation. Convert (706113), from base 8 to decimal 


notation. 


. Convert (10101111), from binary to decimal notation and (999),,9 from decimal to binary 


notation. 


. Convert (101001000). from binary to decimal notation and (1984)19 from decimal to binary 


notation. 


5. Convert (100011110101), and (11101001110), from binary to hexadecimal. 
6. Convert (ABCDEF),¢, (DEFACED), and (9AOB)1¢ from hexadecimal to binary. 


7. Explain why we really are using base 1000 notation when we break large decimal integers 


12. 


13. 


14. 
15. 


16. 


17. 


into blocks of three digits, separated by commas. 


. Show that if b is a negative integer less than —1, then every nonzero integer n can be uniquely 


written in the form 
n=a,b* + a,_,b"} +:+++a,;b+ 4p, 


where a, #0 and0 <a; <|b|forj =0, 1,2,..., k. We write n = (a,a,_1 . . .@jAp)p, just 
as we do for positive bases. 


. Find the decimal representation of (101001)_, and (12012)_3. 
. Find the base —2 representations of the decimal numbers —7, —17, and 61. 


11. 


Show that any weight not exceeding 2* — 1 may be measured using weights of 1, 2, 27, ..., 
2‘-1 when all the weights are placed in one pan. 


Show that every nonzero integer can be uniquely represented in the form 
e,3* + e,_13" 1 +--+ +434 ep, 


where e; = —1, 0, or 1 for j = 0, 1,2,...,k and e #0. This expansion is called a bal- 


anced ternary expansion. 


Use Exercise 12 to show that any weight not exceeding (3* — 1)/2 may be measured using 
weights of 1, 3, 3*,..., 3*-1, when the weights may be placed in either pan. 


Explain how to convert from base 3 to base 9 notation, and from base 9 to base 3 notation. 


Explain how to convert from base r to base r” notation, and from base r” to base r notation, 
when r > 1 and n are positive integers. 


Show that if n = (a,a;_, . . . @;@9)p, then the quotient and remainder when n is divided by b/ 
are q = (d,a,_1..-aj;), andr = (a;_, .. . ado), respectively. 


If the base b expansion of n is n = (a,a,_ . . .,Ag),, What is the base b expansion of b™n? 
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One’s complement representations of integers are used to simplify computer arithmetic. To 
represent positive and negative integers with absolute value less than 2”, a total of n + 1 bits 
is used. 


The leftmost bit is used to represent the sign. A 0 in this position is used for positive integers, 
and a 1 in this position is used for negative integers. 


For positive integers, the remaining bits are identical to the binary expansion of the integer. 
For negative integers, the remaining bits are obtained by first finding the binary expansion of the 
absolute value of the integer, and then taking the complement of each of these bits, where the 
complement of a 1 is a0 and the complement of a 0 is a 1. 


18. Find the one’s complement representations, using bit strings of length six, of the following 


integers. 
a) 22 b) 31 c) -7 d) —19 
19. What integer does each of the following one’s complement representations of length five 
represent? 
a) 11001 b) 01101 c) 10001 d) 11111 


20. How is the one’s complement representation of —m obtained from the one’s complement of 
m, when bit strings of length n are used? 


21. Show that if m is an integer with one’s complement representation a,,_ja,_7 ...@ do, then 
m = —a,_,(2"-! — 1) + oF a2! 

Two’s complement representations of integers also are used to simplify computer arithmetic (in 

fact, they are used much more commonly than one’s complement representations). To represent 

an integer x with —2”—! < x < 2"—! — 1, n bits are used. 


The leftmost bit represents the sign, with a 0 used for positive integers and a 1 for negative 
integers. 


For a positive integer, the remaining n — 1 bits are identical to the binary expansion of the 
integer. For a negative integer, the remaining bits are the bits of the binary expansion of 2”—!— |x |. 


22. Find the two’s complement representations, using bit strings of length six, of the integers in 
Exercise 18. 


23. What integers do the representations in Exercise 19 represent if each is the two’s complement 
representation of an integer? 


24. Show that if m is an integer with two’s complement representation a,,_@,,_7 . . . djdg, then 


= —2 i 
m = —a,_ +2") + Yr 9 a2! 


25. How is the two’s complement representation of —m obtained from the two’s complement 
representation of m, when bit strings of length n are used? 


26. How can the two’s complement representation of an integer be found from its one’s comple- 
ment representation? 


27. Sometimes integers are encoded by using four-digit binary expansions to represent each 
decimal digit. This produces the binary coded decimal form of the integer. For instance, 
791 is encoded in this way by 011110010001. How many bits are required to represent a 
number with n decimal digits using this type of encoding? 
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A Cantor expansion of a positive integer n is a sum 
n=a,,m!+a,,_\(m — 1)!+-+++a22!+a,1!, 

where each a ; is an integer with 0 <a foes j anda,, #0. 

28. Find Cantor expansions of 14, 56, and 384. 


29. Show that every positive integer has a unique Cantor expansion. (Hint: For each positive 
integer 7 there is a positive integer m such that m! < n < (m + 1)!. Fora,,, take the quotient 
from the division algorithm when n is divided by m!, then iterate.) 


The Chinese game of nim is played as follows. There are several piles of matches, each containing 
an arbitrary number of matches at the start of the game. To make a move, a player removes one 
or more matches from one of the piles. The players take tums, and the player who removes the 
last match wins the game. 


A winning position is an arrangement of matches in piles such that if a player can move to 
this position, then (no matter what the second player does) the first player can continue to play ina 
way that will win the game. An example is the position where there are two piles, each containing 
one match; this is a winning position, because the second player must remove a match, leaving 
the first player the opportunity to win by removing the last match. 


30. Show that the position in nim where there are two piles, each with two matches, is a winning 
position. 


31. For each arrangement of matches into piles, write the number of matches in each pile in 
binary notation, and then line up the digits of these numbers into columns (adding initial 
zeros where necessary). Show that a position is a winning one if and only if the number of 
1s in each column is even. (For example: Three piles of 3, 4, and 7 give 


01 1 
1 0 O 
11 1 


where each column has exactly two 1s.) (Hint: Show that any move from a winning position 
produces a nonwinning one. Show that there is a move from any nonwinning position to a 
winning one.) 


Let a be an integer with a four-digit decimal expansion, where not all digits are the same. Let a’ 
be the integer with a decimal expansion obtained by writing the digits of a in descending order, 
and let a” be the integer with a decimal expansion obtained by writing the digits of a in ascending 
order. Define T (a) = a’ — a”. For instance, T (7318) = 8731 — 1378 = 7353. 


32. Show that the only integer with a four-digit decimal expansion (where not all digits are the 
same) such that T (a) = a is a = 6174. The integer 6174 is called Kaprekar’s constant, after 
the Indian mathematician D. R. Kaprekar, because it is the only integer with this property. 

33. a) Show that if a is a positive integer with a four-digit decimal expansion where not all 

digits are the same, then the sequence a, T(a), T(T (a)), T(T(T(a))), ..., obtained by 
iterating T , eventually reaches the integer 6174. 


b) Determine the maximum number of steps required for the sequence defined in part (a) to 
reach 6174. 


Let b be a positive integer and let a be an integer with a four-digit base b expansion, with not all 
digits the same. Define T,(a) = a’ — a”, where a’ is the integer with base b expansion obtained 
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by writing the base b digits of a in descending order, and a” is the integer with base b expansion 
obtained by writing the base b digits of a in ascending order. 


** 34, 


Let b = 5S. Find the unique integer ap with a four-digit base 5 expansion such that T;(ap) = 
@y. Show that this integer ag is a Kaprekar constant for base 5; in other words, that 
a, T(a), T(T(a)), T(T(T(@))), ... eventually reaches a9, whenever a is an integer with 
a four-digit base 5 expansion where not a]] digits are the same. 


. Show that no Kaprekar constant exists for four-digit numbers to the base 6. 
. Determine whether there is a Kaprekar constant for three-digit integers to the base 10. Prove 


that your answer is correct. 


. Asequence aj, j = 1,2, ... is called a Sidon sequence, after the Hungarian mathematician 


Simon Sidon, if all the pairwise sums a; + a; where i < j are different. Use Theorem 2 1 to 
show that the sequence a;, j = 1, 2, ... is a Sidon sequence when a; = 2/. 


Computations and Explorations 


1. 


Find the binary, octal, and hexadecimal) expansions of each of the following integers. 
a) 9876543210 b) 1111111111 c) 10000000001 


. Find the decimal expansion of each of the following integers. 


a) (1010101010101). —b) (765432101234567)3 c) (ABBAFADACABA)j¢ 


. Evaluate each of the following sums, expressing your answer in the same base used to 


represent the summands. 

a) (11011011011011011), + (1001001001001001001001), 
b) (12345670123456), + (765432107654321). 

c) (123456789ABCD)1¢ + (BABACACADADA)}¢ 


. Find the Cantor expansions of the integers 100,000, 10,000,000, and 1 ,000,000,000. (See the 


preamble to Exercise 28 for the definition of Cantor expansions.) 


. Verify the result described in Exercise 33 for several different four-digit integers, in which 


not all digits are the same. 


. Use numerical evidence to make conjectures about the behavior of the sequence a, T (a), 


T (T(a)), ... where a is a five-digit integer in base 10 notation in which not all digits are the 
same, and 7 (a) is defined as in the preamble to Exercise 32. 


nes He published extensively, writing about such topics as recurring decimals, 


D. R. KAPREK AR (1905-1986) was born in Dahanu, India, and was interested 
in numbers even as a small child. He received his secondary school education 
in Thana and studied at Ferguson College in Poona. Kaprekar attended the 
A University of Bombay, receiving his bachelor’s degree in 1929. From 1930 
until bis retirement in 1962, he worked as a schoolteacher in Devlali, India. 
Kaprekar discovered many interesting properties in recreational number theory. 


Magic squares, and integers with special properties. 
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. Explore the behavior for different bases b of the sequence a, T(a), T(T(a)), ... where a 
is a three-digit integer in base b notation. What conjectures can you make? Repeat your 
exploration using four-digit and then five-digit integers in base b notation. 


Programming Projects 


1 


= We 


7 


8. 


. Find the binary expansion of an integer from the decimal expansion of this integer, and 
vice versa. 


. Convert from base b, notation to base b, notation, where b, and b, are arbitrary positive 
integers greater than 1. 


. Convert from binary notation to hexadecimal notation, and vice versa. 
. Find the base (—2) notation of an integer from its decimal notation (see Exercise 8). 


. Find the balanced ternary expansion of an integer from its decimal expansion (see Exercise 
12). 

. Find the Cantor expansion of an integer from its decimal expansion (see the preamble to 
Exercise 28). 


. Play a winning strategy in the game of nim (see the preamble to Exercise 30). 
Investigate the sequence a, T(a), T(T(a)), T(T(T(a))), ... (defined in the preamble to 


Exercise 32), where a is a positive integer, to discover the minimum number of iterations 
required to reach 6174. 


Computer Operations with Integers 


Before computers were invented, mathematicians did computations either by hand or 
by using mechanical devices. Either way, they were only able to work with integers of 
rather limited size. Many number theoretic problems, such as factoring and primality 
testing, require computations with integers of as many as 100 or even 200 digits. In this 
section, we will study some of the basic algorithms for doing computer arithmetic. In 
the following section, we will study the number of basic computer operations required 
to carry out these algorithms. 


We have mentioned that computers internally represent numbers using bits, or binary 
digits. Computers have a built-in limit on the size of integers that can be used in machine 
arithmetic. This upper limit is called the word size, which we denote by w. The word size 
is usually a power of 2, such as 23% for Pentium machines or 23°, although sometimes 
the word size is a power of 10. 


To do arithmetic with integers larger than the word size, it is necessary to devote 
more than one word to each integer. To store an integer n > w, we express n in base w 
notation, and for each digit of this expansion we use one computer word. For instance, if 
the word size is 2°, using ten computer words we can store integers as large as 27° — 1, 
because integers less than 23> have no more than ten digits in their base 2° expansions. 
Also note that to find the base 27° expansion of an integer, we need only group together 
blocks of 35 bits. 
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The first step in discussing computer arithmetic with large integers is to describe 
how the basic arithmetic operations are methodically performed. 


We will describe the classical methods for performing the basic arithmetic oper- 
ations with integers in base r notation, where r > 1 is an integer. These methods are 
examples of algorithms. 


Definition. An algorithm is a finite set of precise instructions for performing a com- 
putation or for solving a problem. 


We will describe algorithms for performing addition, subtraction, and multiplication 
of two n-digit integers a = (a,_1a,_>... a dg), and b = (b,_1b,_> . . . bjbo),, where 
initial digits of zero are added if necessary to make both expansions the same length. 
The algorithms described are used for both binary arithmetic with integers less than the 
word size of a computer, and multiple precision arithmetic with integers larger than the 
word size w, using w as the base. 


Addition When we add a and b, we obtain the sum 


n—1 n—1 n—1 
a+b= Y ajri + be bri = XCF + b,)r!. 
i=0 i=0 i=0 
To find the base r expansion of a + b, first note that by the division algorithm, there are 
integers Co and sg such that 
ag +bop=Cor+59, O<59 <r. 


Because dp and bo are positive integers not exceeding r, we know that 0 < aj) + bg < 
2r — 2, so that Co = 0 or 1; here, Co is the carry to the next place. Next, we find that 
there are integers C, and s, such that 


a,+b,+Cyo=Cyrt+ sy, O0<s,<r. 
Because 0 < a; + bj + Co < 2r — 1, we know that C, = 0 or 1. Proceeding inductively, 
we find integers C; and s; for1 <i <n —1by 

a; +b; +C;_,=Cyrt+s;, 0<s; <7, 


with C; = 0 or 1. Finally, we let s, = C,_, because the sum of two integers with n 
digits has n + 1 digits when there is a carry in the nth place. We conclude that the base 
r expansion for the sum is a + b = (5, 5,1. - - $18q)y- 


When performing base r addition by hand, we can use the same familiar technique 
as is used in decimal addition. 


Example 2.5. To add (1101), and (1001)>, we write 
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1 | 

Ly 1-0) 1 
+1001 
101410 


where we have indicated carries by 1s in italics written above the appropriate column. 
We found the binary digits of the sum by noting that 1+ 1=1-2+0,0+0+1= 
0-2+1,1+0+0=0-2+1, and1+1+0=1-2+0. < 


Subtraction Assume that a > b. Consider 


Note that by the division algorithm, there are integers By and dy such that 
49—bop = Bor+dy, O<d <r, 
and because ap and bo are positive integers less than 7, we have 
—(r —1) Sag—bo <r-1. 


When ap — by > 0, we have By = 0. Otherwise, when ag — by < 0, we have By = —1; 
Bo is the borrow from the next place of the base r expansion of a. We use the division 
algorithm again to find integers B, and d, such that 


a,—b,+ Bp = By +d, O<d, <r. 


From this equation, we see that the borrow B; = 0 as long as a, — bj + Bo = O, and that 
B, = —1otherwise, because —r < a; — b,} + By <r — 1. We proceed inductively to find 
integers B; and d;, such that 


a; —b; + B;_,;= Byr + d,, O<d,<r 


with B; = 0 or —1, for 1<i <n — 1. We see that B,_; = 0, because a > b. We can 
conclude that 


a—b=(d,_1d,_2--. ddp),. 


Where the Word “Algorithm” Comes From 

“Algorithm” is a corruption of the original term “algorism,” which originally comes from 
the name of the author of the ninth-century book Kitab al-jabr w’al-mugqabala (Rules 
of Restoration and Reduction), Abu Ja‘far Mohammed ibn Miisé al-Khwérizmi (see his 
biography included on the next page). The word “algorism” originally referred only to the 


rules of performing arithmetic using Hindu-Arabic numerals, but evolved into “algorithm” 
by the eighteenth century. With growing interest in computing machines, the concept of an 
algorithm became more general, to include all definite procedures for solving problems, not 
just the procedures for performing arithmetic with integers expressed in Arabic notation. 
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When performing base r subtraction by hand, we use the familiar technique used in 
decimal subtraction. 


Example 2.6. To subtract (10110). from (11011)2, we have 


1 1 
-1 0 


where the —1 in italics above a column indicates a borrow. We found the binary digits 
of the difference by noting that 1- O=0-2+ 1, 1—1+0=0-2+0,0-—14+0= 
—1-2+1,1—0-—1=0-2+0,and1—1+0=0-2+0. < 
Multiplication Before discussing multiplication, we describe shifting. To multiply 
(a,_1---@,a9), by r™, we need only shift the expansion left m places, appending the 
expansion with m zero digits. 


Example 2.7. To multiply (101101), by 2°, we shift the digits to the left five places 
and append the expansion witb five zeros, obtaining (10110100000)>. < 


We first discuss the multiplication of an n-place integer by a one-digit integer. To 
multiply (a, . . . @,@p), by (b),, we first note that 


aob=qor+ po, O<po<r, 
and 0 < gp <r — 2, because 0 < apb < (r — 1)”. Next, we have 
ab+q=art+Pp, I< p<r, 
and 0 < q; <r — 1. In general, we have 


aib+q;:=qirt+pi, O<p; <7, 


ABU JA‘FAR MOHAMMED IBN MUSA AL-KHWARIZMI (c. 780- 
c. 850), an astronomer and mathematician, was a member of the House of 
Wisdom, an academy of scientists in Baghdad. The name al-Khw4rizmi means 
“from the town of Kowarzizm,”’ now lnown as Khiva in modern Uzbekistan. 
Al-Khwéarizmi was the author of books on mathematics, astronomy, and geog- 
raphy. People in the West first learned about algebra from his works; the word 
“algebra” comes from al-jabr, part of the title of bis book Kitab al-jabr w’al 
: muqabala, which was translated into Latin and widely used as a text. Another 
book describes procedures for arithmetic operations using Hindu-Arabic numerals. 
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and 0 <q; <r — 1. Furthermore, we have p, = g,—1. This yields (a,_1 . . .@;49),(b), = 
(Pn Pn—1-++ P1Po)r- 


To perform a multiplication of two n-place integers, we write 


n—1 


n—1 
ab= (Yo pyr! = Y(ab;)ri. 
j=0 


j=0 


For each j, we first multiply a by the digit b;, then shift j places to the left, and finally 
add all of the n integers we have obtained to find the product. 

When multiplying two integers with base 7 expansions, we use the familiar method 
of multiplying decimal integers by hand. 


Example 2.8. To multiply (1101), and (1110)>, we write 


11041 

x 1110 

000 0 
11041 
1101 
1101 

1011041410 


Note that we first multiplied (1101), by each digit of (1110)>, shifting each time by the 
appropriate number of places, and then we added the appropriate integers to find our 
product. < 
Division We wish to find the quotient q in the division algorithm 

a=bq+R, O<R<b. 


If the base r expansion of q is q = (Qn—19n—2 - - - 9190)7> then we have 


n—-1 
a=1( Yo ajr’) +R, O<R<b. 
j=0 


To determine the first digit g, 1 of q, notice that 


n—2 
a —bq,_yw" = o> air!) +R. 


j=0 


The right-hand side of this equation is not only positive, but also less than br”—!, because 


yw qjri< pe —)ri= YS ri — Bea r/ =r"—-!~_ 1. Therefore, we know 


1 n—1 


0<a-—bq,_\r" ° <br 
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_| a 
In—1 = bre-1 |" 


We can obtain q,,_ by successively subtracting br”—! from a until we obtain a negative 
result; g,,_; is then one less than the number of subtractions. 


This tells us that 


To find the other digits of g, we define the sequence of partial remainders R; by 


Ro=a 
and 
Rj = Ry — bqy—ir" 
fori = 1, 2,...,n. By mathematical induction, we show that 


(2.1) R; = ( > air!) +R. 


For i = 0, this is clearly correct, because Rp = a = qb + R. Now assume that 


n—k—-1 
y= ( ayr! )b+ R. 


j=0 
Then 
Ry = Ry — bdn4_r” 
n—k—-1 
= ( 2 air!) + R-bqy4-" 
j=0 
n—(k+1)-1 
= ( 2 air! )o+ R, 
j=0 
establishing (2.1). 


By (2.1), we see that 0 < R; <r” *b, fori = 1, 2,..., n, because ae q;r/ < 
r,-; — 1. Consequently, because R; = R;_; — bq,_;r”~' and 0 < R; <r”—'b, wesee that 
the digit g,_; is given by [R;_,/(br”‘)] and can be obtained by successively subtracting 
br” from R;_, until a negative result is obtained, and then g,,_; is one less than the 
number of subtractions. This is how we find the digits of q. 


Example 2.9. To divide (11101), by (111), we let g = (q2q1q0)2. We subtract 
27(111). = (11100), once from (11101), to obtain (1)j, and once more to obtain a 
negative result, so that gq. = 1. Now, R; = (11101) — (11100)2 = (1)2. We find that 
q, = 0, because R,; — 2(111), is less than zero, and likewise gp = 0. Hence, the quotient 
of the division is (100), and the remainder is (1). . < 
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EXERCISES 


. Add (101111011), and (1100111011),. 

. Add (10001000111101)2 and (11111101011111),. 

. Subtract (11010111), from (1111000011),. 

. Subtract (101110101), from (1101101100). 

- Multiply (11101), and (110001),. 

. Multiply (1110111), and (10011011). 

. Find the quotient and remainder when (110011111), is divided by (1101). 

. Find the quotient and remainder when (110100111), is divided by (11101). 

. Add (1234321), and (2030104)<. 

. Subtract (434421). from (4434201)>. 

- Multiply (1234), and (3002)s. 

. Find the quotient and remainder when (14321), is divided by (334)s. 

. Add (ABAB),¢ and (BABA) 6. 

. Subtract (CAFE), from (FEED) 6. 

- Multiply (FACE). and (BAD)¢. 

. Find the quotient and remainder when (BEADED) j¢ is divided by (ABBA) 6. 
. Explain how to add, subtract, and multiply the integers 18235187 and 22135674 on a 


computer with word size 1000. 


Write algorithms for the basic operations with integers in base (—2) notation (see Exercise 
8 of Section 2.1). 


How is the one’s complement representation of the sum of two integers obtained from the 
one’s complement representations of those integers? 


How is the one’s complement representation of the difference of two integers obtained from 
the one’s complement representations of those integers? 


Give an algorithm for adding and an algorithm for subtracting Cantor expansions (see the 
preamble to Exercise 28 of Section 2.1). 


A dozen equals 12, and a gross equals 127. Using base 12, or duodecimal arithmetic, answer 
the following questions. 


a) If 3 gross, 7 dozen, and 4 eggs are removed from a total of 11 gross and 3 dozen eggs, how 
many eggs are left? 

b) If5 truckloads of 2 gross, 3 dozen, and 7 eggs each are delivered to the supermarket, how 
many eggs are delivered? 


c) If 11 gross, 10 dozen, and 6 eggs are divided in 3 groups of equal size, how many eggs 
are in each group? 


A well-known rule used to find the square of an integer with decimal expansion (a,a,_|... 
419) 19 and final digit ag = 5 is to find the decimal expansion of the product (a,,a,_1.. . @1)19 
[(@,@,—1---4@)19 + 1], and append this with the digits (25)j9. For instance, we see that the 
decimal expansion of (165)* begins with 16 - 17 = 272, so that (165)? = 27,225. Show that 
this rule is valid. 
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24. In this exercise, we generalize the rule given in Exercise 23 to find the squares of integers 


2.3 


with final base 2B digit B, where B is a positive integer. Show that the base 2B expansion of 
the integer (a,,a,,_1 . . .@,@9)2, Starts with the digits of the base 2B expansion of the integer 
(€,4n—1--- 4128 [(Q,4n—-1-- - @)2— + 1] and ends with the digits B/2 and 0 when B is even, 
and the digits (B — 1)/2 and B when B is odd. 


Computations and Explorations 


1. Verify the rules given in Exercises 23 and 24 for examples of your choice. 


Programming Projects 


1. Perform addition with arbitrarily large integers. 
2. Perform subtraction with arbitrarily large integers. 
3. Multiply two arbitrarily large integers using the conventional algorithm. 


4. Divide arbitrarily large integers, finding the quotient and remainder. 


Complexity of Integer Operations 


Once an algorithm has been specified for an operation, we can consider the amount of 
time required to perform this algorithm on a computer. We will measure the amount of 
time in terms of bit operations. By a bit operation we mean the addition, subtraction, or 
multiplication of two binary digits, the division of a two-bit by a one-bit integer (obtain- 
ing a quotient and a remainder), or the shifting of a binary integer one place. (The actual 
amount of time required to carry out a bit operation on a computer varies depending on 
the computer architecture and capacity.) When we describe the number of bit operations 
needed to perform an algorithm, we are describing the computational complexity of this 
algorithm. 


In describing the number of bit operations needed to perform calculations, we will 
use big-O notation. Big-O notation provides an upper bound on the size of a function in 
terms of a particular well-known reference function whose size at large values is easily 
understood. 


To motivate the definition of this notation, consider the following situation. Suppose 
that to perform a specified operation on an integer n requires at most n> + 8n” logn 
bit operations. Because 8n” log n < 8n° for every positive integer, less than 9n° bit 
operations are required for this operation for every integer n. Because the number of 
bit operations required is always less than a constant times n>, namely, On, we say that 
O(n?) bit operations are needed. In general, we have the following definition. 


Definition. If f and g are functions taking positive values, defined for all x € S, where 
S is a specified set of real numbers, then f is O(g) on S if there is a positive constant K 
such that f(x) < K g(x) for all sufficiently large x € S. (Normally, we take S to be the 
set of positive integers, and we drop all reference to S.) 
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Big-O notation is used extensively throughout number theory and in the analysis 

of algorithms. Paul Bachmann introduced big-O notation in 1892 ([Ba94]). The big-O 

© notation is sometimes called a Landau symbol, after Edmund Landau, who used this 

notation throughout his work in the estimation of various functions in number theory. 

The use of big-O notation in the analysis of algorithms was popularized by renowned 
computer scientist Donald Knuth. 


We illustrate this concept of big-O notation with several examples. 


Example 2.10. Wecan show on the set of positive integers that n* + 2n3 + Sis O(n‘). 
Todo this, note that n* + 2n3 + 5 <n* + 2n* + 5n‘* = 8n’ for all positive integers. (We 
take K = 8 in the definition.) The reader should also note that n* is O(n* + 2n> + 5). 

< 


Example 2.11. We can easily give a big-O estimate for ee j. Noting that each 
summand is less than n tells us that 7; _, j < ))j_)2=n-n =n’. Note that we could 
also derive this estimate easily from the formula ei j=nn+ 1/2. < 


We now will give some useful results for working with big-O estimates for combi- 
nations of functions. 


Theorem 2.2. If f is O(g) and c is a positive constant, then cf is O(g). 


PAUL GUSTAV HEINRICH BACHMANN (1837-1920), the son of a pas- 
tor, shared his father’s pious lifestyle, as well as his love of music. His talent for 
mathematics was discovered by one of his early teachers. After recovering from 
tuberculosis, he studied at the University of Berlin and later in Géttingen, where 
he atteaded lectures presented by Dirichlet. In 1862, he received his doctorate 
under the supervision of the number theorist Kummer. Bachmann became a pro- 
fessor at Breslau and later at Miinster. After retiring, he continued mathematical 
research, played the piano, and served as a music critic for newspapers. His 
writings include a five-volume survey of number theory, a two-volume work on elementary number 
theory, a book on irrational numbers, and a book on Fermat’s last theorem (this theorem is discussed 
in Chapter 13). Bachmann introduced big-O notation in 1892. 


EDMUND LANDAU (1877-1938) was the son of a Berlin gynecologist, and 
attended high school in Berlin. He received his doctorate in 1899 under the 
direction of Frobenius. Landau first taught at the University of Berlin and then 
moved to Guttingen, where he was full professor until the Nazis forced him 
to stop teaching. His main contributions to mathematics were in the field of 
analytic number theory; he established several important results coacerning the 
distribution of primes. He authored a three-volume work on number theory and 
many other books on mathematical analysis and analytic number theory. 
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Proof. If f is O(g), then there is a constant K with f(x) < Kg(x) for all x under 
consideration. Hence cf (x) < (cK)g(x), socf is O(g). : 


Theorem 2.3. If f, is O(g,) and f2 is O(g2), then f; + f2 is O(g; + g2), and f; f2 is 
O(8182). 


Proof. If f is O(g,) and f, is O(g2), then there are constants K, and K>2 such that 
fi(x) < K,g1(x) and f,(x) < K2g2(x) for all x under consideration. Hence, 


fiQ®) + f(x) < K 18%) + K282(*) 
< K(gi(*) + 82(x)), 
where K is the maximum of K, and K2. Hence, f; + fo is O(g, + g2). 
Also, 
Fi) F2(%) < Kyg1(%) K282(x) 
= (K1K2)(g1(*)g2(%)), 
so fi fz is O(g182). = 


Corollary 2.3.1. If f; and f2 are O(g), then f; + f2 is O(g). 


Proof. Theorem 2.3 tells us that f;+ f2 is O(2g). But if f; + fo < K(2g), then 
fit fo < (2K)g.s0 fi + fo is O(g). = 


DONALD KNUTH (b. 1938) grew up in Milwaukee, where his father owaed 
a small printing business and taught bookkeeping. He was an excellent student 
who also applied his intelligence in unconventional ways, such as finding more 
than 4500 words that could be spelled from the letters in “Ziegler’s Giant Bar,” 
winning a television set for his school and candy bars for everyone in his class. 

Knuth graduated from Case Institute of Technology in 1960 with B.S. and 
M.S. degrees in mathematics, by special award of the faculty who considered 
his work outstanding. At Case, he managed the basketball team and applied his 
mathematical talents by evaluating each player using a formula he developed (receiving coverage on 
CBS television and in Newsweek). Knuth received his doctorate in 1963 from the California Institute 
of Technology. 

Knuth taught at the California Institute of Technology and Stanford University, retiring in 1992 
to concentrate on writing. He is especially interested in updating and adding to his famous series, 
The Art of Computer Programming. This series has had a profound influence on the development of 
computer science. Knuth is the founder of the modem study of computational complexity and has 
made fundamental contributions to the theory of compilers. Knuth has also invented the widely used 
TeX and Metafont systems used for mathematical (and general) typography. TeX played an important 
role in the development of HTML and the Internet. He popularized the big-O notation in his work on 
the analysis of algorithms. 

Knuth has written for a wide range of professional journals in computer science and mathematics. 
However, his first publication, in 1957, when he was a college freshman, was the “The Potrzebie 
System of Weights and Measures,” a parody of the metric system, which appeared in MAD Magazine. 
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The goal in using big-O estimates is to give the best big-O estimate possible while 
using the simplest reference function possible. Well-known reference functions used in 
big-O estimates include 1, log n,n, n log n,n log n log log n, n*, and 2”, as well as some 
other important functions. Calculus can be used to show that each function in this list is 
smaller than the next function in the list, in the sense that the ratio of the function and the 
next function tends to 0 as grows without bound. Note that more complicated functions 
than these occur in big-O estimates, as you will see in later chapters. 


We illustrate how to use theorems for worlaing with big-O estimates with the fol- 
lowing example. 


Example 2.12. To give a big-O estimate for (n + 8logn) (10n logn + 17n?), first 
note that n + 8logn is O(n) and 10n logn + 17n” is O(n”) (because log n is O(n) and 
n logn is O(n”)) by Theorems 2.2 and 2.3 and Corollary 2.3.1. By Theorem 2.3, we see 
that (n + 8 log n)(10n logn + 17n?) is O(n). < 


Using big-O notation, we can see that to add or subtract two n-bit integers takes 
O(n) bit operations, whereas to multiply two n-bit integers in the conventional way 
takes O(n?) bit operations (see Exercises 12 and 13 at the end of this section). Sur- 
prisingly, there are faster algorithms for multiplying large integers. To develop one 
such algorithm, we first consider the multiplication of two 2n-bit integers, say, a = 
(€o,—142n-2 Boeke a1A9)2 and b= (bo,_ b2n_2 si bybo)o. We write 

a=2"A,+Aqg b=2"°B,+ Bo, 
where 
Ay = (Qan—142n-2++-4n419n)2 Ao = (Gn-14n-2 + - - 9140)2 
By = (bn—1ban—2 +--+ Dn4tbn)2 Bo = n—1bn—2 - - - 5ybo)2- 
We will use the identity 
(2.2) ab=(2?" + 2") A,B, + 2"(Ay — Ao)(Bo — By) + (2" + 1I)AoBo. 


To find the product of a and b using (2.2) requires that we perform three multiplications 
of n-bit integers (namely, A,B), (A, — Ag)(Bo — Bj), and AgBo), as well as a number 
of additions and shifts. This is illustrated by the following example. 


Example 2.13. We can use (2.2) to multiply (1101), and (1011)2. We have (1101), = 
27(11)> + (01), and (1011), = 27(10), + (11). Using (2.2), we find that 


(1101)9(1011)5 = (2* + 27)(11)9(10)9 + 27((11) — (01g) - ((11)2 — (10)2)+ 
(2? + 1)(01)9(11)9 


= (2* + 27)(110). + 27(10)2(01)y + (27 + 1I)(1))y 
= (1100000), + (11000) + (1000). + (1100), + (11)5 
= (10001111). < 


We will now estimate the number of bit operations required to multiply two n-bit integers 
by using (2.2) repeatedly. If we let M(n) denote the number of bit operations needed to 
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multiply two n-bit integers, we find from (2.2) that 
(2.3) M(2n) < 3M(n) + Cn, 


where C is a constant, because each of the three multiplications of n-bit integers takes 
M (n) bit operations, whereas the number of additions and shifts needed to compute ab 
via (2.2) does not depend on n, and each of these operations takes O(n) bit operations. 


From (2.3), using mathematical induction, we can show that 
(2.4) M(2*) < c(3* — 2), 


where c is the maximum of the quantities M (2) and C (the constant in (2.3)). To carry out 
the induction argument, we first note that with k = 1, we have M (2) < c(3! — 2!) =c, 
because c is the maximum of M(2) and C. 


As the induction hypothesis, we assume that 
M(2*) < ck — 2). 
Then, using (2.3), we have 
M(2**}) < 3m(2*) + c2k 
< 3c(3* — 2) + C2* 


aust 623.08 
< c(3kt! — 2k thy, 
This establishes that (2.4) is valid for all positive integers k. 
Using inequality (2.4), we can prove the following theorem. 
Theorem 2.4. Multiplication of two n-bit integers can be performed using O (n!°82 3) 
bit operations. (Note: log, 3 is approximately 1.585, which is considerably less than the 


exponent 2 that occurs in the estimate of the number of bit operations needed for the 
conventional multiplication algorithm.) 


Proof. From (2.4), we have 


M(n) = M(2!°82 n) < Mates. nil) 
< (382 n}+1 _ 9[log, n}+l) 


< 3c - 3ll082 7) < 3¢ . 31082" = 3¢n'823 (because 3!°82” = n'°223), 
Hence, M(n) is O(n'°82 3). | 
We now state, without proof, two pertinent theorems. Proofs may be found in [Kn97] 


or [Kr79]. 


Theorem 2.5. Given a positive number € > 0, there is an algorithm for multiplication 
of two n-bit integers using O(n'**) bit operations. 
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Note that Theorem 2.4 is a special case of Theorem 2.5 with € = log, 3 — 1, which 
is approximately 0.585. 


Theorem 2.6. There is an algorithm to multiply two n-bit integers using O(n log, n 
log, log, n) bit operations. 


Because log, n and log, log, n are much smaller than n‘ for large numbers n, 
Theorem 2.6 is an improvement over Theorem 2.5. Although we know that M(n) is 
O(n log, n log, log, n), for simplicity we will use the obvious fact that M(n) is O (n?) 
in our subsequent discussions. 


The conventional algorithm described in Section 2.2 performs a division of a 2n- 
bit integer by an n-bit integer with O(n”) bit operations. However, the number of bit 
operations needed for integer division can be related to the number of bit operations 
needed for integer multiplication. We state the following theorem, which is based on an 
algorithm discussed in [Kn97]. 


Theorem 2.7. There is an algorithm to find the quotient g = [a/b], when the 2n-bit 
integer a is divided by the integer b (having no more than n bits), using O(M(n)) 
bit operations, where M(n) is the number of bit operations needed to multiply two n- 
bit integers. 


EXERCISES 


. Determine whether each of the following functions is O(n) on the set of positive integers. 


a) 2n +7 c) 10 e) V/n2 +1 
b) n?/3 d) log(n? + 1) f) (n?+1)/(n+)) 


. Show that 2n* + 3n3 + 17 is O(n*) on the set of positive integers. 

. Show that (n? + 4n? log n + 101n”)(14n log n + 8n) is O(n‘ log n). 

. Show that 1! is O(n") on the set of positive integers. 

. Show that (n! + 1)(n + log n) + (n? + n")((log n)? +n + 7) is O(n"t}). 

. Suppose that m is a positive real number. Show that )7_, j” is O (nm), 

. Show that 7 log n is O (log n!) on the set of positive integers. 

. Show that if f; and f, are O(g;) and O(g2), respectively, and c, and cz are constants, then 


Cf, + cafo is O(g) + 82). 


. Show that if f is O(g), then f* is O(g*) for all positive integers k. 
. Let r be a positive real number greater than 1. Show that a function f is O(log, n) if and 


only if f is O(log, n). (Hint: Recall that log, n/ log, n = log, b.) 
Show that the base b expansion of a positive integer n has [log, n] + 1 digits. 


Analyzing the conventional algorithms for subtraction and addition, show that these opera- 
tions require O(n) bit operations with n-bit integers. 


13. 


14. 


15. 


16. 


17. 
18. 


19. 


20. 


21. 


22. 


23. 
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Show that to multiply an n-bit and an m-bit integer in the conventional manner requires 
O(nm) bit operations. 


Estimate the number of bit operations needed to find 1+ 2+---+7, 
a) by performing all the additions; 
b) by using the identity 1+ 2+---+n=n(n + 1)/2, and multiplying and shifting. 


Give an estimate for the number of bit operations needed to find each of the following 
quantities. 


a) n! b) (7) 


Give an estimate of the number of bit operations needed to find the binary expansion of an 
integer from its decimal expansion. 


Use identity (2.2) with n = 2 to multiply (1001), and (1011),. 
Use identity (2.2) with n = 4, and then with n = 2, to multiply (10010011), and (11001001). 


a) Show there is an identity analogous to (2.2) for decimal expansions. 

b) Using part (a), multiply 73 and 87 performing only three multiplications of one-digit 
integers, plus shifts and additions. 

c) Using part (a), reduce the multiplication of 4216 and 2733 to three multiplications of 
two-digit integers, plus shifts and additions; then, using part (a) again, reduce each of 
the multiplications of two-digit integers into three multiplications of one-digit integers, 
plus shifts and additions. Complete the multiplication using only nine multiplications of 
one-digit integers, and shifts and additions. 


If A and B are n x n matrices, with entries aij and bij for 1<i<n,1< j <n, then AB is 
then x n matrix with entries c;; = )\7_ Gixbx j- Show that n? multiplications of integers are 
used to find AB directly from its definition. 


Show that it is possible to multiply two 2 x 2 matrices using only seven multiplications of 
integers, by using the identity 


(2 an i 2) 
a2; 422 by, bo 


44101, + Ay2by, x + (aq + a22)(b12 — 411) 
_ + (441 + G12 — A21 — A22)b22 
X + (11 — 41) (b22 — Dy2) x + (a1 — 421) (b22 — 512) 


— G79 (by — bay — yg +b) + (21 + 422) (O12 — 511) 
where x = 41 ,b1, — (@41 — 421 — 422)(b11 — 512 + 522)- 


Using an inductive argument, and splitting (2) x (2m) matrices into four n x n matrices, 
use Exercise 21 to show that it is possible to multiply two 2* x 2* matrices using only 7* 
multiplications, and less than 7**! additions. 


Conclude from Exercise 22 that two n x n matrices can be multiplied using O(n!°£27) bit 
operations when all entries of the matrices have less than c bits, where c is a constant. 
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Integer Representations and Operations 


Computations and Explorations 


1. Multiply 81,873,569 and 41,458,892 by using identity (2.2) with these eight-digit integers, 
with the resulting four-digit integers, and with the resulting two-digit integers. 


2. Multiply two 8 x 8 matrices of your choice, by using the identity in Exercise 21 with these 
matrices and then again for the multiplication of the resulting 4 x 4 matrices. 
Programming Projects 


1. Multiply two arbitrarily large integers using identity (2.2). 


2. Multiply two n x n matrices using the algorithm discussed in Exercises 21-23. 


Primes and Greatest 
Common Divisors 


Al x chapter introduces a central concept of number theory, namely, that of a prime 
number. A prime is an integer with precisely two positive integer divisors. Prime 
numbers were studied extensively by the ancient Greeks, who discovered many of their 
basic properties. In the past three centuries, mathematicians have devoted countless hours 
to exploring the world of primes. They have discovered many fascinating properties, 
formulated diverse conjectures, and proved interesting and surprising results. Research 
into questions involving primes continues today, partly driven by the importance of 
primes in modern cryptography. Open questions about primes stimulate new research. 
There are also tens of thousands of people trying to enter the record books by finding 
the largest prime yet known. 


In this chapter, we will show that there are infinitely many primes. The proof we 
will give dates back to ancient times. We will also show how to find all the primes not 
exceeding a given integer, using the sieve of Eratosthenes, also dating back to antiquity. 
We will discuss the distribution of primes, and state the famous prime number theorem 
that was proved at the end of the nineteenth century. This theorem provides an accurate 
estimate for the number of primes not exceeding a given integer. Many questions about 
primes remain open despite attention from mathematicians over hundreds of years; we 
will discuss a selection of such problems, including two of the best known, the twin 
prime conjecture and Goldbach’s conjecture. 


This chapter also shows that every positive integer can be written uniquely as the 
product of primes (when the primes are written in increasing order of size). This result 
is known as the fundamental theorem of arithmetic. To prove this theorem, we will use 
the concept of the greatest common divisor of two integers. We will establish many 
important properties of the greatest common divisor in this chapter, such as the fact 
that it is the smallest positive linear combination of these integers. We will describe the 
Euclidean algorithm that can be used for finding the greatest common divisor of two 
integers, and analyze its computational complexity. We will discuss methods used to 
find the factorization of integers into products of primes, and discuss the complexity 
of these methods. Numbers of special form are often studied in number theory; in this 
chapter, we will introduce the Fermat numbers, which are integers of the form 27" +41, 
(Fermat conjectured that they are all prime but this turns out not to be true.) 


Finally, we will introduce the concept of a diophantine equation, which is an equa- 
tion where only solutions in integers are sought. We will show how greatest common 
divisors can be used to help solve linear diophantine equations. Unlike many other dio- 
phantine equations, linear diophantine equations can be solved easily and systematically. 
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Primes and Greatest Common Divisors 


Prime Numbers 


The positive integer 1 has just one positive divisor. Every other positive integer has at 
least two positive divisors, because it is divisible by 1 and by itself. Integers with exactly 
two positive divisors are of great importance in number theory; they are called primes. 


Definition. A prime is an integer greater than 1 that is divisible by no positive integers 
other than 1 and itself. 


Example 3.1. The integers 2, 3, 5, 13, 101, and 163 are primes. “4 
Definition. An integer greater than 1 that is not prime is called composite. 


Example 3.2. The integers 4=2-2,8=4-2,33=3- 11, 111=3- 37, and 1001 = 
7-11-13 are composite. < 


The primes are the multiplicative building blocks of the integers. Later, we will show 
that every positive integer can be written uniquely as the product of primes. 


In this section, we will discuss the distribution of prime numbers among the set of 
positive integers, and prove some elementary properties about this distribution. We will 
also discuss more powerful results about the distribution of primes. The theorems we 
will introduce include some of the most famous results in number theory. 


You can find all primes less than 10,000 in Table E.1 at the end of the book. 


The Infinitude of Primes We start by showing that there are infinitely many primes, 
for which the following lemma is needed. 


Lemma 3.1. Every integer greater than 1 has a prime divisor. 


Proof. We prove the lemma by contradiction; we assume that there is a positive integer 
greater than 1 having no prime divisors. Then, since the set of positive integers greater 
than 1 with no prime divisors is nonempty, the well-ordering property tells us that there 
is a least positive integer m greater than 1 with no prime divisors. Because 7 has no prime 
divisors and n divides n, we see that n is not prime. Hence, we can write n = ab with 
1<a<nand1 <b <n. Because a <n, a must have a prime divisor. By Theorem 1.8, 
any divisor of a is also a divisor of n, so m must have a prime divisor, contradicting the 
fact that n has no prime divisors. We can conclude that every positive integer greater 
than 1 has at least one prime divisor. : 


We now show that there are infinitely many primes, a wondrous result known by 
the ancient Greeks. This is one of the key theorems in number theory that can be proved 
in a variety of ways. The proof we will provide was presented by Euclid in his book 
the Elements (Book IX, 20). This simple yet elegant proof is considered by many to be 
particularly beautiful. It is not surprising that the very first proof found in the book Proofs 
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from THE BOOK [AiZi10], a collection of particularly insightful and clever proofs, 
begins with this proof found in Euclid. Moreover, this book presents six quite different 
proofs of the infinitude of primes. (Here, THE BOOK refers to the imagined collection 
of perfect proofs that Paul Erd6s claimed is maintained by God.) We will introduce 
a variety of different proofs that there are infinitely many primes later in this chapter. 
(See Exercise 8 at the end of this section, the exercise sets in Sections 3.3 and 3.5, and 
Section 3.6.) 


Theorem 3.1. There are infinitely many primes. 


Proof. Suppose that there are only finitely many primes, pj, po, ... P,, wheren isa 
positive integer. Consider the integer Q,,, obtained by multiplying these primes together 
and adding one, that is, 


Qn = P1P2°** Py tl. 


By Lemma 3.1, Q has at least one prime divisor, say, g. We obtain a contradiction by 
showing that q is not one of the primes listed. (These supposedly formed a complete list of 
all primes.) Ifg = p; forsome integer j with 1 < j <n, thensince Q, — pip2--- Pp, =1, 
because q divides both terms on the left-hand side of this equation, by Theorem 1.9 it 
follows that q | 1. This is impossible because no prime divides 1. Consequently, q must be 
a prime we have not listed. This contradiction shows that there are infinity many primes. 

7 


The proof of Theorem 3.1 is nonconstructive because the integer we have con- 
structed in the proof, Q,,, which is one more than the product of the first n primes, may 
or may not be prime (see Exercise 11). Consequently, in the proof we have not found a 
new prime, but we know that one exists. 


Finding Primes In later chapters, we will be interested in finding and using extremely 
large primes. Tests distinguishing between primes and composite integers will be crucial; 
such tests are called primality tests. The most basic primality test is trial division, which 
tells us that the integer n is prime if and only if it is not divisible by any prime not 
exceeding ./n. We now prove that this test can be used to determine whether n is prime. 


Theorem 3.2. If 7 is a composite integer, then n has a prime factor not exceeding ./n. 


Proof. Because n is composite, we can write n = ab, where a and Db are integers with 
1<a<b<n. Wemusthavea < ./n, since otherwise b > a > ./n andab > /n-./n= 
n. Now, by Lemma 3.1, a must have a prime divisor, which by Theorem 1.8 is also a 
divisor of n and which is clearly less than or equal to ./n. 2 


We can use Theorem 3.2 to find all the primes less than or equal to a given positive 
integer n. This procedure is called the sieve of Eratosthenes, since it was invented by 
the ancient Greek mathematician Eratosthenes. We illustrate its use in Figure 3.1 by 
finding all primes less than 100. We first note that every composite integer less than 100 
must have a prime factor less than /100 = 10. Because the only primes less than 10 are 
2, 3, 5, and 7, we only need to check each integer less than 100 for divisibility by these 
primes. We first cross out, with a horizontal line (—), all multiples of 2 greater than 2. 
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Next, we cross out with a slash (/) those integers remaining that are multiples of 3, other 
than 3 itself. Then all multiples of 5, other than 5, that remain are crossed out with a 
backslash (\). Finally, all multiples of 7, other than 7, that are left are crossed out with a 
vertical stroke (|). All remaining integers (other than 1, which we cross out using an x) 
must be prime (and are shown in boldface in the figure). 


MK 2 3S BE OT CR 488 
11 32 13 #34 «YW 46 #17 «#38 «19 «(20 
a+ 2 23 4 3B 2 2F 2 9 30 
31 32 33 34 38 36 37 38 39 40 
44 42 43 44 45 46 47 #48 #449 «50 
sr 52 53 54 S856 ST OSB 
61 62 65 64 CO 66 67 6 SF W 
1np223B Hh HB 6 WH B 19 80 
Sr 82 83 84 8 86 87 88 89 90 
jl 92 95 94 98 % 97 98 99 100 


Figure 3.1 Using the sieve of Eratosthenes to find the primes less than 100. 


Although the sieve of Eratosthenes produces all primes less than or equal to a fixed 
integer, to determine in this manner whether a particular integer n is prime itis necessary 
to check n for divisibility by all primes not exceeding ./n. This is quite inefficient; later, 
we will give better methods for deciding whether or not an integer is prime. 


We now introduce a function that counts the primes not exceeding a specified 
number. 


Definition. The function x(x), where x is a positive real number, denotes the number 
of primes not exceeding x. 


ERATOSTHENES (c. 276-194 B.C.E.) was born in Cyrene, which was a Greek 
colony west of Egypt. It is nown that he spent some time studying at Plato’s 
school in Athens. King Ptolemy II invited Eratosthenes to Alexandria to tutor 
his son. Later, Eratosthenes became the chief librarian of the famous library 
at Alexandria, which was a central repository of ancient works of literature, 
art, and science. He was an extremely versatile scholar, having written on 
mathematics, geography, astronomy, history, philosophy, and literature. Besides 

™ his work in mathematics, Eratosthenes was most noted for his chronology of 
ancient history and for his geographical measurements, including his famous measurement of the 
size of the earth. 
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Example 3.3. From our illustration of the sieve of Eratosthenes, we see that 7 (10) = 4 
and (100) = 25. < 


Primes in Arithmetic Progressions Every odd integer is either of the form 4n + 1 
or the form 4n + 3. Are there infinitely many primes in both these forms? The primes 
5, 13, 17, 29, 37, 41, ... are of the form 4n + 1, and the primes 3, 7, 11, 19, 23, 31, 
43,... are of the form 4n + 3. Looking at this evidence hints that there are infinitely 
many primes in both these progressions. What about other arithmetic progressions such 
as 3n + 1, 7n + 4, 8n + 7, and so on? Does each of these contain infinitely many primes? 

€) German mathematician G. Lejeune Dirichlet settled this question in 1837, when he used 
methods from complex analysis to prove the following theorem. 


Theorem 3.3. Dirichlet’s Theorem on Primes in Arithmetic Progressions. Suppose 
that a and 5b are relatively prime positive integers. Then the arithmetic progression 
an +b,n=1, 2,3,..., contains infinitely many primes. 


No simple proof of Dirichlet’s theorem on primes in arithmetic progressions is 
known. (Dirichlet’s original proof used complex variables. In the 1950s, elementary but 
complicated proofs were found by Erd6és and by Selberg.) However, special cases of 
Dirichlet’s theorem can be proved quite easily. We will illustrate this in Section 3.5, by 
showing that there are infinitely many primes of the form 4n + 3. 


The Largest Known Primes For hundreds if not thousands of years, professional and 
C) amateur mathematicians have been motivated to find a prime larger than any currently 
known. The person who discovers such a prime becomes famous, at least for a time, 
and has his or her name entered into the record books. Because there are infinitely many 
prime numbers, there is always a prime larger than the current record. Looking for new 
primes is done somewhat systematically; rather than checking randomly, people examine 
numbers that have a special form. For example, in Chapter 7 we will discuss primes of 
the form 2? — 1, where p is prime; such numbers are called Mersenne primes. We will 
see that there is a special test that makes it possible to determine whether 2” — 1 is 


G. LEJEUNE DIRICHLET (1805-1859) was born into a French family living 
in the vicinity of Cologne, Germany. He studied at the University of Paris when 
this was an important world center of mathematics. He held positions at the 
University of Breslau and the University of Berlin, and in 1855 was chosen 
to succeed Gauss at the University of Géttingen. Dirichlet is said to be the 
first person to master Gauss’s Disquisitiones Arithmeticae, which had appeared 
20 years earlier. He is said to have kept a copy of this book at bis side even 
when he traveled. His book on number theory, Vorlesungen iiber Zahlentheorie, 
helped make Gauss’s discoveries accessible to other mathematicians. Besides bis fundamental work 
in number theory, Dirichlet made many important contributions to analysis. His famous “drawer 
principle,” also called the pigeonhole principle, is used extensively in combinatorics and in number 
theory. 
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prime without performing trial divisions. The largest known prime number has been a 
Mersenne prime for most of the past hundred years. Currently, the world record for the 
largest prime known is 247:1!2,609 _ 1. 


Formulas for Primes Is there a formula that generates only primes? This is another 
question that has interested mathematicians for many years. No polynomial in one 
variable has this property, as Exercise 23 demonstrates. It is also the case that no 
polynomial in n variables, where n is a positive integer, generates only primes (a result 
that is beyond the scope of this book). There are several impractical formulas that 
generate only primes. For example, Mills has shown that there is a constant © such 
that the function f (n) = [©"] generates only primes. Here the value of © is known only 
approximately, with © © 1.3064. This formula is impractical for generating primes not 
only because the exact value of © is not known, but also because to compute © you must 
know the primes that f(n) generates (see [Mi47] for details). 


If no useful formula can be used to generate large primes, how can they be generated? 
In Chapter 6, we will learn how to generate large primes using what are known as 
probabilistic primality tests. 


Primality Proofs 


If someone presents you with a positive integer n and claims that n is prime, how can you 
be sure that 7 really is prime? We already know that we can determine whether n is prime 
by performing trial divisions of n by the primes not exceeding ,/n. If n is not divisible 
by any of these primes, it itself is prime. Consequently, once we have determined that 
n is not divisible by any prime not exceeding its square root, we have produced a proof 
that 7 is prime. Such a proof is also known as a certificate of primality. 


Unfortunately, using wial division to produce a certificate of primality is extremely 
inefficient. To see this, we estimate the number of bit operations used by this test. Using 
the prime number theorem, we can estimate the number of bit operations needed to show 
that an integer n is prime by wial divisions of n by all primes not exceeding ./n. The prime 
number theorem tells us that there are approximately ./n/log ./n = 2./n/log n primes 
not exceeding ./n. To divide n by an integer m takes O (log, n - log, m) bit operations. 
Therefore, the number of bit operations needed to show that n is prime by this method is 
at least (2./n/log n)(c logy n) = c./n (where we have ignored the log, m term because it 
is at least 1, even though it sometimes is as large as (log, n)/2). This method of showing 
that an integer n is prime is very inefficient, for it is necessary not only to know all the 
primes not larger than ./n, but to do at least a constant multiple of ./n bit operations. 


To input an integer into a computer program, we input the binary digits of the integer. 
Consequently, the computational complexity of algorithms for determining whether an 
integer is prime is measured in terms of the number of binary digits in the integer. By 
Exercise 11 in Section 2.3, we know that a positive integer n has [log, 1] + 1 binary 
digits. Consequently, a big-O estimate for the computational complexity of an algorithm 
in terms of number of binary digits of n wanslates to the same big-O estimate in terms of 
log, n, and vice versa. Note that the algorithm using trial divisions to determine whether 
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an integer n is prime is exponential in terms of the number of binary digits of n, or 
in terms of log, n, because ,/n = 2'°82"/2, That is, this algorithm has exponential time 
complexity, measured in terms of the number of binary digits in n. As n gets large, 
an algorithm with exponential complexity quickly becomes impractical. Determining 
whether a number with 200 digits is prime using trial division still takes billions of years 
on the fastest computers. 


Mathematicians have looked for efficient primality tests for many years. In par- 
ticular, they have searched for an algorithm that produces a certificate of primality in 
polynomial me, measured in terms of the number of binary digits of the integer input. 
In 1975, G. L. Miller developed an algorithm that can prove that an integer is prime 
using O((log n)>) bit operations, assuming the validity of a hypothesis called the gener- 
alized Riemann hypothesis. Unfortunately, the generalized Riemann hypothesis remains 
an open conjecture. In 1983, Leonard Adleman, Carl Pomerance, and Robert Rumely 
developed an algorithm that can prove an integer is prime using (log n)° 8°88” pit 
operations, where c is a constant. Although their algorithm does not run in polynomial 
time, it runs in close to polynomial time because the function log log log n grows so 
slowly. To use their algorithm with an up-to-date PC to determine whether a 100-digit 
integer is prime requires just a few milliseconds, determining whether a 400-digit inte- 
ger is prime requires less than a second, and determining whether a 1000-digit integer is 
prime takes less than an hour. (For more information about their test, see [AdPoRu83] 
and [Ru83].) 


A Polynomial Time Algorithm for Prime Certificates Until 2002, no one was able 
to find a polynomial time algorithm for proving that a positive integer is prime. In 2002, 
M. Agrawal, N. Kayal, and N. Saxena, an Indian computer science professor and two 
of his undergraduate students, announced that they had found an algorithm that can 
produce a certificate of primality for an integer n using O((log n)!) bit operations. 
Their discovery of a polynomial time algorithm for proving that a positive integer is 
prime surprised the mathematical community. Their announcement stated that “PRIMES 
is in P.” Here, computer scientists denote by PRIMES the problem of determining 
whether a given integer n is prime, and P denotes the class of problems that can be 
solved in polynomial time. Consequently, PRIMES is in P means that one can determine 
whether n is prime using an algorithm that has computational complexity bounded by 
a polynomial in the number of binary digits in n, or equivalently, in log n. Their proof 
can be found in [AgKaSa02] and can be understood by undergraduate students who have 
studied number theory and abstract algebra. In this paper, they also show that under the 
assumption of a widely believed conjecture about the density of Sophie Germain primes 
(see Chapter 13 for a biography of the French mathematician Sophie Germain) ! (primes 
p for which 2p + 1is also prime), their algorithm uses only O((log n)®) bit operations. 
Other mathematicians have also improved on Agrawal, Kayal, and Saxena’s result. In 
particular, H. Lenstra and C. Pomerance have reduced the exponent 12 in the original 
estimate to 6 + €, where € is any positive real number. 


1 Both the first name and last name of Sophie Germain are used to describe primes p for which 2p + 1 is also 
prime. This type of terminology is rarely used when the names of other mathematicians are used as adjectives. 
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Itis important to note that in our discussion of primality tests, we have only addressed 
deterministic algorithms, that is, algorithms that decide with certainty whether an integer 
is prime. In Chapter 6, we will introduce the notion of probabilistic primality tests, that 
is, tests that tell us that there is a high probability, but not a certainty, that an integer is 
prime. 
3.1 EXERCISES 

1. Determine which of the following integers are primes. 
a) 101 c) 107 e) 113 
b) 103 d) 111 f) 121 

2. Determine which of the following integers are primes. 
a) 201 c) 207 e) 213 
b) 203 d) 211 f) 221 

3. Use the sieve of Eratosthenes to find all primes less than 150. 

4. Use the sieve of Eratosthenes to find all primes less than 200. 

5. Find all primes that are the difference of the fourth powers of two integers. 

6. Show that no integer of the form n>+ lisa prime, other than 2 = 13 + 1. 

7. Show that if a and 7 are positive integers with n > 1 and a” — 1is prime, then a = 2 and n is 
prime. (Hint: Use the identity a*’ — 1= (a* — 1)(a*¢-) + gkl-9 +... 4 ak + 1),) 

8. (This exercise constructs another proof of the infinitude of primes.) Show that the integer 
Q, =n!+ 1, where n is a positive integer, has a prime divisor greater than n. Conclude that 
there are infinitely many primes. 

9. Can you show that there are infinitely many primes by looking at the integers S, = n! — 1, 
where n is a positive integer? 

10. Using Euclid’s proof that there are infinitely many primes, show that the nth prime p,, does 
not exceed 22” ' whenever n is a positive integer. Conclude that when n is a positive integer, 
there are at least n + 1 primes less than 22”. 

11. Let QO, = pyp2.-- Py, +1, where p;, po,..., p, are the n smallest primes. Determine the 
smallest prime factor of Q,, forn = 1, 2, 3, 4, 5, and 6. Do you think that Q,, is prime infinitely 
often? (Note: This is an unresolved question.) 

12. Show that if p, is the kth prime, where k is a positive integer, then p, < pjP2.-.- Pri + 1 
for all integers n with n > 3. 

13. Show that if the smallest prime factor p of the positive integer n exceeds </n, then n/p must 
be prime or 1. 

14. Show that if p is a prime in the arithmetic progression 3n + 1, n = 1, 2, 3,..., then itis also 
in the arithmetic progression 6n + 1,n = 1, 2,3,.... 

15. Find the smallest prime in the arithmetic progression an + b, for these values of a and b: 
aja=3,b=1 b)a=5,b=4 c)a=11,b=16 

16. Find the smallest prime in the arithmetic progression an + b, for these values of a and b: 


a)a=5,b=1 b)a=7,b=2 c)a=23,b=13 


17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 


25. 
26. 


27. 
28. 
29. 
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Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with a 1. 


Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with the two digits 23. 


Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with the three digits 123. 


Show that for every positive integer n there is a prime whose decimal expansion ends with at 
least n 1s. 


Show that for every positive integer n there is a prime whose decimal expansion contains n 
consecutive 1s and whose final digit is 3. 


Show that for every positive integer n there is a prime whose decimal expansion contains n 
consecutive 2s and whose final digit is 7. 


Use the second principle of mathematical induction to prove that every integer greater than 
1 is either prime or the product of two or more primes. 


Use the principle of inclusion—-exclusion (Exercise 16 of Appendix B) to show that 


nin) = (a(n) -D+n-([2]4 [2] 4-4 Fl) 


Py P2 


n n n 
‘(Galt 
PiP2 P1P3 Pr-1Pr 
n n n 
P1P2P3 P1P2P4 Pr-2Pr—-1Pr 


where pj, P2,..., p, are the primes less than or equal to ./n (with r = m(./n)). (Hint: Let 
property P, be the property that an integer is divisible by p;.) 
Use Exercise 24 to find m (250). 


Show that x2 — x + 41is prime for all integers x with 0 < x < 40. Show, however, that it is 
composite for x = 41. 


Show that 2n? + 11 is prime for all integers n with 0 < n < 10, but is composite for n = 11. 
Show that 2n? + 29 is prime for all integers n with 0 < n < 28, but is composite for n = 29. 


Show thatif f(x) = a,x" + a,_;x"—!+ --++ a,x + do, where n > 1 and the coefficients are 
integers, then there is a positive integer y such that f(y) is composite. (Hint: Assume that 
J (x) = p is prime, and show that p divides f(x + kp) for all integers k. Conclude that there 
is an integer y such that f(y) is composite from the fact that a polynomial of degree n,n > 1, 
takes on each value at most n times.) 


The lucky numbers are generated by the following sieving process: Start with the positive integers. 
Begin the process by crossing out every second integer in the list, starting your count with the 
integer 1. Other than 1, the smallest integer not crossed out is 3, so we continue by crossing out 
every third integer left, starting the count with the integer 1. The next integer left is 7, so we cross 
out every seventh integer left. Continue this process, where at each stage we cross out every kth 
integer left, where k is the smallest integer not crossed out, other than 1, not yet used in the sieving 
process. The integers that remain are the lucky numbers. 


78 


30. 
31. 
32. 
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Find all lucky numbers less than 100. 

Show that there are infinitely many lucky numbers. 

Suppose that ¢, is the smallest prime greater than Q,; = pyp2--- Py + 1, where p; is the jth 
prime number. 

a) Show that 4 — Q; + 1is not divisible by p; for j = 1, 2,...,k. 


b) R. F. Fortune conjectured that t, — Q; + 1is prime for all positive integers k. Show that 
this conjecture is true for all positive integers k with k <5. 


Computations and Explorations 


Ls 


NA nn Bb W 


13. 


Find the nth prime, where n is each of the following integers. 
a) 1,000,000 b) 333,333,333 c) 1,000,000,000 


. Find the smallest prime greater than each of the following integers. 


a) 1,000,000 b) 100,000,000 c) 100,000,000,000 


. Plot the nth prime as a function of n for 1 <n < 100. 
. Plot x(x) for 1< x < 1000. 
. Find the smallest prime factor of n! + 1 for all positive integers n not exceeding 20. 


. Find the smallest prime factor of p,;p2-- +p, + 1, where pj, po, ... , py are the kth smallest 


primes for all positive integers k not exceeding 100. Which of these numbers are prime? For 
which of those that are not prime is p;,, the smallest prime divisor of this number? 


. Find the smallest prime factor of p,;p2--- p, — 1, where pj, po, ... , py are the kth smallest 


primes for all positive integers k not exceeding 100. Which the numbers are primes? For 
which of those that are not prime is p;,, the smallest prime divisor of this number? 


. The Euler-Mullin sequence q,, 42, ..-, Qz, -- . iS defined by taking q, = 2 and defining q;4, 


to be the smallest prime factor of g4q2 - - - gq, + 1 whenever k is a positive integer. Find as many 
terms of this sequence as you can. It has been conjectured that this sequence is a reordering 
of the list of prime numbers. 


. Use the sieve of Eratosthenes to find all primes less than 10,000. 
10. 


Use the result given in Exercise 18 to find 27(10,000), the number of primes not exceeding 
10,000. 


. A famous unsettled conjecture of Hardy and Littlewood, now generally believed to be false, 


asserts that r(x + y) < w(x) + 2(y) for all integers x and y both greater than 1. Explore this 
conjecture by examining z(x + y) — (a(x) + 2(y)) for various values of x and y. 


. Verify R. F. Fortune’s conjecture that t, — Q; + 1is prime for all positive integers k, where 


t, is the smallest prime greater than Q; = IT; _; Pj + 1 for as many k as you can. 


Find all lucky numbers (as defined in the preamble to Exercise 30) not exceeding 10,000. 


Programming Projects 


1. 


* 2, 


Given a positive integer n, determine whether it is prime using trial division of the integer by 
all primes not exceeding its square root. 


Given a positive integer n, use the sieve of Eratosthenes to find all primes not exceeding it. 


* 


* 


3.2 


3. 
4. 


5. 
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Given a positive integer n, use Exercise 24 to find x(n). 


Given positive integers a and b not divisible by the same prime, find the smallest prime 
number in the arithmetic progression an + 6b, where n is a positive integer. 


Given a positive integer n, find the lucky numbers less than n (see the preamble to Exercise 
30). 


The Distribution of Primes 


We know that there are infinitely many primes, but can we estimate how many primes 
there are less than a positive real number x? One of the most famous theorems of number 
theory, and of all mathematics, is the prime number theorem, which answers this question. 


Mathematicians in the late eighteenth century examined tables of prime numbers 
created using hand calculations. Using these values, they looked for functions that 
estimated (x). In 1798, French mathematician Adrien-Marie Legendre (see Chapter 11 
for a biography) used tables of primes up to 400,031, computed by Jurij Vega, to note 
that (x) could be approximated by the function 


x 
log x — 1.08366 


The great German mathematician Karl Friedrich Gauss (see Chapter 4 for a biography) 
conjectured that 2(x) increases at the same rate as the functions 


dt 


x/logx and Li(x)= — 
2 logt 


(where rs a represents the area under the curve y = 1/ log t and above the t-axis from 


t =2 tot =x). (The name Li is an abbreviation of logarithmic integral.) 
Neither Legendre nor Gauss managed to prove that these functions approximated 


2 (x) closely for large values of x. By 1811, a table of all primes up to 1,020,000 had been 
produced (by Chernac), which could be used to provide evidence for these conjectures. 


The first substantial result showing that 2 (x) could be approximated by x/log x was 
established in 1850 by Russian mathematician Pafnuty Lvovich Chebyshev. He showed 
that there are positive real numbers C, and C2, with C, < 1 < C3, such that 


C,(x/ log x) < r(x) < Ca(x/ log x) 


for sufficiently large values of x. (In particular, he showed that this result holds with 
C, = 0.929 and C, = 1.1.) He also demonstrated that if the ratio of r(x) and x/log x 
approaches a limit as x increases, then this limit must be 1. 


The prime number theorem, which states that the ratio of m(x) and x/log x ap- 
proaches 1 as x grows without bound, was finally proved in 1896, when French 
mathematician Jacques Hadamard and Belgian mathematician Charles-Jean-Gustave- 
Nicholas de la Vallée-Poussin produced independent proofs. Their proofs were based 
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on results from the theory of complex analysis. They used ideas developed in 1859 by 
German mathematician Bemhard Riemann, which related 7 (x) to the behavior of the 
function 


— 1 
t(s) = x nt 
n=1 
in the complex plane. (The function ¢(s) is known as the Riemann zeta function.) The 
connection between the Riemann zeta function and the prime numbers comes from the 


identity 


vol 1 

as os eel 

c=) =][a- ae 
n=1 P 

where the product on the right-hand side of the equation extends over all primes p. We 

will explain why this identity is true in Section 3.5. (For information about the famous 

Riemann hypothesis, a conjecture about the roots of the zeta function, see the boxed note 


later in this section.) 


PAFNUTY LVOVICH CHEBYSHEV (1821-1894) was born on the estate 
of his parents in Okatovo, Russia. His father was a retired army officer. In 
1832, Chebyshev’s family moved to Moscow, where he completed his secondary 
education with study at home. In 1837, Chebyshev entered Moscow University, 
graduating in 1841. While still an undergraduate, he made his first origiaal 
contribution, a new method for approximating roots of equations. Chebyshev 
joined the faculty of St. Petersburg University in 1843, where he remained until 
1882. His doctoral thesis, written in 1849, was long used as a number theory 
textbook at Russian universities. Chebyshev made contributions to many areas of mathematics besides 
number theory, including probability theory, numerical analysis, and real analysis. He worked in 
theoretical and applied mechanics, and had a bent for constructing mechanisms, including linkages 
and hinges. He was a popular teacher, and had a strong influence on the development of Russian 
mathematics. 


JACQUES HADAMARD (1865-1963) was born in Versailles, France. His 
father was a Latin teacher and his mother a distinguished piano teacher. After 
completing his undergraduate studies, he taught at a Paris secondary school. 
After receiving his doctorate in 1892, he became lecturer at the Faculté des 
Sciences of Bordeaux. He subsequently served on the faculties of the Sorbonne, 
the Collége de France, the Ecole Polytechnique, and the Ecole Centrale des Arts 
et Manufactures. Hadamard made important contributions to complex analysis, 
functional analysis, and mathematical physics. His proof of the prime number 
theorem was based on his work in complex analysis. Hadamard was a famous teacher; he wrote 
Numerous articles about elementary mathematics that were used in French schools, and his text on 
elementary geometry was used for many years. 
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In addition to proving the prime number theorem, de la Vallée-Poussin showed that 
the function Li(x) is a closer approximation to 7 (x) than x/(log x — a) for all values of 
the constant a. 


The proofs of the prime number theorem found by Hadamard and de la Valleé- 
Poussin depend on complex analysis, though the theorem itself does not involve complex 
numbers. This left open the challenge of finding a proof that did not use the theory of 
€) complex variables. It surprised the mathematical community when, in 1949, Norwegian 
mathematician Atle Selberg and Hungarian mathematician Paul Erdés independently 
found elementary proofs of the prime number theorem. Their proofs, though elementary 
(meaning that they do not use the theory of complex variables), are quite complicated 

and difficult. 


We now formally state the prime number theorem. 
Theorem 3.4. The Prime Number Theorem. The ratioof2(x) to x/log x approaches 


1 as x grows without bound. (Here, log x denotes the natural logarithm of x, and in the 
language of limits, we have lim,_,,5 7(x)/(x/log x) = 1.) 


CHARLES-JEAN-GUSTAVE-NICHOLAS DE LA VALLEE-POUSSIN 
(1866-1962), the son of a geology professor, was born at Louvain, Belgium. 
He studied at the Jesuit College at Mons, first studying philosophy, later turn- 
ing to engineering. After receiving his degree, instead of pursuing a career in 
engineering, he devoted himself to mathematics. De la Valleé-Poussin’s most 
significant contribution to mathematics was his proof of the prime number theo- 
rem. Extending this work, he established results about the distribution of primes 
in arithmetic progressions and the distribution of primes represented by qua- 
dratic forms. Furthermore, he refined the prime number theorem to include error estimates. He made 
important contributions to differential equations, approximation theory, and analysis. His textbook, 
Cours d’ analyse, had a stroug impact on mathematical thought in the first half of the twentieth century. 


ATLE SELBERG (1917-2007), born in Langesund, Norway, became inter- 
ested in mathematics as a schoolboy. He was inspired by Ramanujan’s writing, 
both by the mathematics and the “air of mystery” surrounding Ramanujan’s per- 
sonality. Selberg received his doctorate in 1943 from the University of Oslo. He 
remained at the university until 1947, when he married and took a position at the 
Institute for Advanced Study in Princeton. After a brief stay at Syracuse Uni- 
versity, he returned to the Institute for Advanced Study, where he was appointed 
a permanent member in 1949; he became a professor at Princeton University in 
1951. Selberg received the Fields Medal, the most prestigious award in mathematics, for bis work on 
sieve methods and on the properties of the set of zeros of the Riemann zeta function. He is also well 
known for bis elementary proofs of the prime number theorem (also done by Paul Erdés), Dirichlet’s 
theorem on primes in arithmetic progressions, and the generalization of the prime number theorem 
for primes in arithmetic progressions. 
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Remark. Aconcise way to state the prime number theorem is to write 7(x) ~ x/ log x. 


lim,_, oo a(x) /b(x) = 1, and we say that a(x) is asymptotic to b(x). 


Here, the symbol ~ denotes “is asymptotic to.” We write a(x) ~ b(x) to denote that 


x (x) x/ log x 1(X)/ iogx Li(x) (x)/Li(x) 
10° 168 144.8 1.160 178 0.9438202 
10+ 1229 1085.7 1.132 1246 0.9863563 
10° 9592 8685.9 1.104 9630 0.9960540 
10° 78498 72382.4 1.085 78628 0.9983466 
10’ 664579 620420.7 1.071 664918 | 0.9998944 
108 5761455 5428681.0 1.061 5762209 0.9998691 
10° 50847534 48254942.4 1.054 50849235 0.9999665 
10!° 455052512 434294481.9 1.048 455055614 0.9999932 
101! 4118054813 3948131663.7 1.043 4118165401 | 0.9999731 
10!2 37607912018 36191206825.3 1.039 37607950281 0.9999990 
10'3 | 346065536839 | 334072678387.1 1.036 | 346065645810 | 0.9999997 
10/4 | 3204941750802 | 3102103442166.0 1.033 | 3204942065692 0.9999999 

Table 3.1 Approximations to x(x). 
sorrrrr PAUL ERDOS (1913-1996), born in Budapest, Hungary, was the son of high 
_ school mathematics teachers. When he was three years old, he could multiply 
three-digit numbers in his head, and when he was four, he discovered negative 
ae numbers on his own. At 17, he entered E6tvés University, graduating in four 
nS years with a Ph.D. in mathematics. After graduating, he spent four years at 
P on Manchester University, England, as a postdoctoral fellow. In 1938, he came 


4 


to the United States because of the difficult political situation in Hungary, 
especially for Jews. 


Erdés made many significant contributions to combinatorics and to number theory. One of the 


discoveries of which he was most proud was his elementary proof of the prime number theorem. 
He also participated in the modern development of Ramsey theory, a part of combiaatorics. Erdés 
traveled extensively throughout the world to work with other mathematicians. He traveled from one 
mathematician or group of mathematicians to the next, proclaiming, “My brain is open.” Erdés offered 
monetary rewards for the solutions of problems he found particularly interesting. Erd6s wrote more 
than 1500 papers, with almost 500 coauthors. These coauthors are said to have Erddés number one. 
Otherwise, a mathematician’s Erd6s number is k + 1 if the smallest Erd5s number of his or her 
coauthors is k. Two fascinating biographies ([Sc98] and [Ho99]) and the film N is a Number [Cs07] 
give further details on his life and work. 
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The prime number theorem tells us that the ratio between x/log x and 7 (x) is close 
to 1 when x is large. However, there are functions for which the ratio between these 
functions and 2 (x) approaches 1 more rapidly than it does for x/log x. In particular, it 
has been shown that Li(x) is an even better approximation. In Table 3.1, we see evidence 
for the prime number theorem and that Li(x) is an excellent approximation of z (x). (Note 
that the values of Li(x) have been rounded to the nearest integer.) 


The Riemann Hypothesis 

Many mathematicians consider the Riemann hypothesis, a conjecture about the zeros of 
the zeta function, the most important open problem in pure mathematics. For more than 
100 years, number theorists have struggled to solve this problem. Interest in it has spread, 
perhaps because a prize of one million dollars for a proof (if it is indeed true) has been 
offered by the Clay Mathematics Institute. Recently, many general-interest books about the 
Riemann hypothesis, such as [De03], [Sa03a], and [Sa03b], have appeared, even though the 
hypothesis involves sophisticated notions from complex analysis. We will briefly describe 
the Riemann hypothesis for the benefit of readers familiar with complex analysis, as well 
as for the general appreciation of others. 

We have defined the Riemann zeta function as ¢(s) = sn 4. This definition is valid 
for all complex numbers s with Re(s) > 1, where Re(s) is the real part of the complex 
number s. Riemann was able to extend the function defined by the infinite series to a function 
in the entire complex plane with a pole at s = 1. In his famous 1859 paper [RiS59], Riemann 
connected the zeta function with the distribution of prime numbers. He derived a formula for 
x(x) in terms of the zeros of ¢(s). The more we understand about the location of the zeros 
of the zeta function, the more we know about the distribution of the primes. The Riemann 
hypothesis is a statement about the location of the zeros of this function. Before stating 
the hypothesis, we first note that the zeta function has zeros at the negative even integers 
—2, —4, —6, ..., called the trivial zeros. The Riemann hypothesis is the assertion that 
the nontrivial zeros of ¢(s) all have real part equal to 1/2. Note that there is an equivalent 
formulation of the Riemann hypothesis in terms of the error introduced when Li(x) is used 
to estimate (x); this alternative formulation does not involve complex variables. In 1901, 
von Koch showed that the Riemann hypothesis is equivalent to the statement that the error 
that occurs when x(x) is estimated by Li(x) is O(x!/? log x). 

Many mathematicians believe the Riemann hypothesis is true, particularly because of 
the wealth of evidence supporting it. First, a vast amount of numerical evidence has been 
found. We now know that the first 2.5 x 101! zeros (in order of increasing imaginary parts) 
have real part equal to 1/2. (These computations were done by Sebastian Wedeniwski, who 
has set up a distributed computing project to carry them out called ZetaGrid). Second, we 
know that at least 40% of the nontrivial zeros of the zeta function are simple and have real 
part equal to 1/2. Third, we know that if there are exceptions to the Riemann hypothesis, 
they must be rare as we move away from the line Re(s) = 1/2. Of course, it is still possible 
that this evidence is misleading us and that the Riemann hypothesis is not true. Perhaps this 
famous problem will be resolved in the next few years, or maybe it will resist all attacks 
for hundreds of years into the future. For more information about the Riemann hypothesis, 
consult [Ed01] and the online essay by Enrico Bombieri on the Web site for the Clay Institute 
Millenium Prize Problems. 
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It is not necessary to find all primes not exceeding x to compute 2 (x). One way to 
evaluate (x) without finding all the primes less than x is to use a counting argument 
based on the sieve of Eratosthenes (see Exercise 18 in Section 3.1). Efficient ways of 
computing (x) requiring only O (x °/5)+€) bit operations have been devised by Lagarias 
and Odlyzko [LaOd82]. The world record is currently held by Tomas Oliveira e Silva, 
who was able to compute 7 (1023) = 1,925,320,391,606,803,968,923 in 2008. 


How big is the mth prime? From the prime number theorem, we know that that 
n=T(p,) ~ p,/ log p,. Because taking logarithms of both sides of an asymptotic 
formula maintains the asymptotic relationship, we find that log n ~ log(p,,/ log p,,) = 
log p, — log log p, ~ log p,. Consequently, p, ~ n log p, ~ n log n. We state this fact 
as a corollary. 


Corollary 3.4.1. Let p, be the nth prime, where n is a positive integer. Then p, ~ 
n log n. That is, the nth prime is asymptotic to log n. 


What is the probability that a randomly selected positive integer is prime? Given that 
there are approximately x/log x primes not exceeding x, the probability that x is prime 
is approximately (x/ log x)/x = 1/ log x. For example, the probability that an integer 
near 10! is prime is approximately 1/log 10! ~ 1/2302. Suppose that you want to 
find a prime with 1000 digits; what is the expected number of integers you must select 
before you find a prime? The answer is that you must select roughly 1/(1/2302) = 2302 
integers of this size before one of them will be a prime. Of course, you will need to check 
each one to determine whether it is prime. In Chapter 6, we will discuss how this can be 
done efficiently. 


Gaps in the Distribution of Primes We have shown that there are infinitely many 
primes and we have discussed the abundance of primes below a given bound x, but we 
have yet to discuss how regularly primes are distributed throughout the positive integers. 
We first give a result that shows that there are arbitrarily long runs of integers containing 
no primes. 


One of the Largest Numbers Ever Appearing Naturally in a Proof 

Using the data in Table 3.1, we can show that for all x in the table, the difference Li(x) — 
t(x) is positive and increases as x grows. Gauss, who only had access to the data in the 
first few rows of this table, believed this trend held for all positive integers x. However, 
in 1914, the English mathematician J. E. Littlewood showed that Li(x) — w(x) changes 
sign infinitely many times. In his proof, Littlewood did not establish a lower bound for 
the first time that Li(x) — 2(x) changes from positive to negative. This was done in 1933 
by Samuel Skewes, a student of Litthewood’s, who managed to show that Li(x) — r(x) 


changes signs for at least one x with x < 1910 a humongous number. This number, 
known as Skewes’ constant, became famous as the largest number to appear naturally in a 
mathematical proof. Fortunately, in the past seven decades, considerable progress has been 
made in reducing this bound. The best current results show that Li(x) — a(x) changes sign 
near x = 1.39822 x 10316, 
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Theorem 3.5. For any positive integer n, there are at least n consecutive composite 
positive integers. 


Proof. Consider the n consecutive positive integers 
(n+)!4+2, (+)D!4+3, ..., (at+)!4tn4+l1. 


When 2 < j <n +1, we know that j | (n+ 1)!. By Theorem 1.9 it follows that j | 
(n + 1)!+ 7. Hence, these n consecutive integers are all composite. 7 


Example 3.4. The seven consecutive integers beginning with 8! + 2 = 40,322 are 
all composite. (However, these are much larger than the smallest seven consecutive 
composites, 90, 91, 92, 93, 94, 95, and 96.) < 


Conjectures About Primes 


Professional and amateur mathematicians alike find the prime numbers fascinating. It is 
not surprising that a tremendous variety of conjectures have been formulated concerning 
prime numbers. Some of these conjectures have been settled, but many still elude 
resolution. We will describe some of the best known of these conjectures here. 


Looking at tables of primes led mathematicians in the first half of the nineteenth 
century to make conjectures that the distribution of primes satisfies some basic properties, 
such as this following conjecture. 


ie Bertrand’s Conjecture. In 1845, the French mathematician Joseph Bertrand conjec- 
tured that for every positive integer n withn > 1, there is a prime p such thatn < p < 2n. 
Bertrand verified this conjecture for all n not exceeding 3,000,000, but he could not pro- 
duce a proof. The first proof of this conjecture was found by Pafnuty Lvovich Chebyshev 
in 1852. Because this conjecture has been proved, it is often called Bertrand’s postulate. 
(See Exercises 22—24 for an outline of a proof.) 


Theorem 3.5 shows that the gap between consecutive primes is arbitrarily long. On 
the other hand, primes may often be close together. The only consecutive primes are 2 


JOSEPH LOUIS FRANCOIS BERTRAND (1822-1900) was born in Paris. 
He studied at the Ecole Polytechnique from 1839 until 1841 and at the Ecole des 
Mines from 1841 to 1844. Instead of becoming a mining engineer, he decided 
to become a mathematician. Bertrand was appointed to a position at the Ecole 
Polytechnique in 1856, and, in 1862, he also became professor at the Collége 
de France. In 1845, on the basis of extensive numerical evidence in tables of 
primes, Bertrand conjectured that there is at least one prime between n and 2n 
for every integer n withn > 1. This result was first proved by Chebyshev in 1852. 
Besides working in number theory, Bertrand worked on probability theory and differential geometry. 
He wrote several brief volumes on the theory of probability and on analyzing data from observations. 
His book Calcul des probabilitiés, written in 1888, contains a paradox on continuous probabilities 
now known as Bertrand’s paradox. Bertrand was considered to be kind at heart, extremely clever, and 
full of spirit. 
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and 3, because 2 is the only even prime. However, many pairs of primes differ by two; 
these pairs of primes are called twin primes. Examples are the pairs 3, 5 and 7, 11 and 
13, 101 and 103, and 4967 and 4969. 


Evidence seems to indicate that there are infinitely many pairs of twin primes. There 
are 35 pairs of twin primes less than 107; 8169 pairs less than 10°; 3,424,506 pairs less 
than 10°; and 1,870,585,220 pairs less than 10!. This leads to the following conjecture. 


Twin Prime Conjecture. There are infinitely many pairs of primes p and p + 2. 


In 1966, Chinese mathematician J. R. Chen showed, using sophisticated sieve 
methods, that there are infinitely many primes p such that p + 2 has at most two prime 
factors. An active competition is under way to produce new largest pairs of twin primes. 
The current record for the largest pair of twin primes is 2,003,663,613 - 2!99:000 4 1,4 
pair of primes with 58,711 digits each discovered in 2007. 


The twin prime conjecture asserts that infinitely many primes occur as pairs of 
consecutive odd numbers. However, consecutive primes may be far apart. A consequence 
of the prime number theorem is that as n grows, the average gap between the consecutive 
primes p,, and p,.; is log p,. Number theorists have worked hard to prove results 
that show that the gaps between consecutive primes are much smaller than average 
for infinitely many primes. In 2005, a breakthrough was made by Daniel Goldston, 
Janos Pintz, and Cem Yildrim. They showed that for every positive number c, there 
are infinitely many pairs of consecutive primes p,, and p,,, , that differ less than c times 
log p,,, the average distance between consecutive primes. They also showed that under 
the assumption of a conjecture lnown as the Elliott-Halberstam conjectures, there are 
infinitely pairs of primes within 16 of each other. 


Viggo Brun showed that the sum )pemes p with p+2 prime » = (1/3 + 1/5) + 
(1/5 + 1/7) + (1/11+ 1/13) +- - - converges to aconstant called Brun’s constant, which 
is approximately equal to 1.9021605824. Surprisingly, the computation of Brun’s con- 
stant has played a role in discovering flaws in Intel’s original Pentium chip. In 1994, 
Thomas Nicely at Lynchburg College in Virginia computed Brun’s constant in two dif- 
ferent ways using different methods on a Pentium PC and came up with different answers. 
He traced the error back to a flaw in the Pentium chip and he alerted Intel to this problem. 
(See the box on page 89 for more information about Nicely’s discovery.) 


JING RUN CHEN (1933-1996) was a student of the prominent Chinese num- 
ber theorist Loo Keng Hua. Chen was almost entirely devoted to mathematical 
research. During the Cultural Revolution in China, he continued his research, 
working almost all day and night in a tiny coom witb no electric lights, no table or 
chairs, only a small bed, and his books and papers. It was during this period that 
he made his most important discoveries concerning twin primes and Goldbach’s 
conjecture. Although he was a mathematical prodigy, Chen was considered to 
be next to hopeless in other aspects of life. He died in 1996 after a long illness. 
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The Erdés Conjecture on Arithmetic Progressions of Primes. For every positive 
integer n > 3, there is an arithmetic progression of primes of length n. 


This conjecture most likely dates back more than a century; it was discussed by 
Paul Erdés in the 1930s. Although much numerical evidence was found to support this 
conjecture, it remained unsettled for many years. 


Example 3.5. Thesequence 5, 11, 17, 23, 29 is an arithmetic progression of five primes 
and the sequence 199, 409, 619, 829, 1039, 1249, 1459, 1669, 1879, 2089isan arithmetic 
progression of ten primes, as the reader should verify. 4 


The Dutch mathematician Johannes van der Corput (1890-1971) made some 

progress on this conjecture when he showed in 1939 that there are infinitely many arith- 

Metic progressions of three primes. In a major breakthrough, Ben Green and Terrence 

C) Tao were able to prove this conjecture in 2006. They began by attempting to show that 
there are infinitely many arithmetic progressions of four primes, but were able to prove 

the full conjecture, which is now mown as the Green-Tao Theorem. Their proof, con- 
sidered to be a mathematical tour de force, is a nonconstructive existence proof that 
combines ideas from several different areas of mathematics, including analytic number 
theory and ergodic theory. Because it is nonconstructive, it cannot be used to construct 


TERRENCE TAO (born 1975) was born in Australia; His parents immigrated 
there from Hong Kong. His father is a pediatrician and his mother taught 
mathematics at a Hong Kong secondary school. Tao was a child prodigy. He 
taught himself arithmetic at the age of two. At 10, he became the youngest 
contestant at the International Mathematics Olympiad (IMO), later winning 
an IMO gold medal when he was 13. At 17, Tao received his bachelors and 
masters degrees and began graduate studies at Princeton University, receiving 
his Ph.D. in three years. In 1996, he became a faculty member at the University 
of California, Los Angeles, where he continues to work. 

Tao is an extremely versatile mathematician who enjoys working on problems in diverse areas, 
including harmonic analysis, partial differential equations, number theory, and combinatorics. You can 
follow his work by reading his blog, which discusses progress on various problems. His most famous 
result is the Grecn-Tao Theorem, which tells that there are arbitrarily long arithmetic progressions 
of primes. Besides working in pure mathematics, Tao has made important contributions to the 
applications of mathematics. For example, he has made key contributions to the area of compressive 
sampling, which involves the reconstniction of digital images using the least possible information. 

Tao has an amazing reputation among mathematicians; he has become a Mr. Fix-It forresearchers 
in mathematics. The well-known mathematician Charles Fefferman, himself a child prodigy, has said, 
“Tf you’re stuck on a problem, then one way out is to interest Terence Tao.” In 2006, Tao was awarded 
a Fields Medal, the most prestigious award for mathematicians under the age of 40. He was also 
awarded a MacArthur Fellowship in 2006, and in 2008 he received the Allan T. Waterman award, 
which came with a $500,000 cash prize to support research work of scientists early in their career. 

Tao’s wife, Laura, is an engineer at the Jet Propulsion Laboratory. 
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examples of arithmetic progressions of specified length. The Green-Tao theorem estab- 
lishes a special case of a more general conjecture that Paul Erdés made in the 1930s, 
namely, that if the sum of the reciprocals of the elements of a set A of positive integers 
diverges, then A contains arbitrarily long arithmetic progressions. This more general 
conjecture remains unsettled. 


We now discuss perhaps the most notorious conjecture about primes. 


Goldbach’s Conjecture. Every even positive integer greater than 2 can be written as the 
sum of two primes. 


Example 3.6. The integers 10, 24, and 100 can be written as the sum of two primes in 
the following ways: 


10=3+7=5+5, 

24=54+19=7+17=11+4 13, 

100 = 3+. 97= 11+ 89 = 17+ 83 
=29+71=414+59=47+4 53. < 


This conjecture was stated by Christian Goldbach in a letter to Leonhard Euler in 
1742. It has been verified by a distributed computing effort for all even integers less 
than 10/8, with this limit increasing as computers become more powerful. Usually, there 
are many ways to write a particular even integer as the sum of primes, as Example 3.5 
illustrates. However, a proof that there is always at least one way has not yet been found. 
The best result known to date is due to J. R. Chen, who showed (in 1966), using powerful 
sieve methods, that all sufficiently large integers are the sum of a prime and the product 
of at most two primes. 


There are many conjectures concerning the number of primes of various forms, such 
as the following conjecture. 


The n2 + 1 Conjecture. There are infinitely many primes of the form n? + 1, where n 
is a positive integer. 


The smallest primes of the form n2>+lare2=124+ 12,5=27 41, 17=47 +1, 
37=6¢ + 1,101= 107 + 1, 197 = 142 + 1, 257 = 16 + 1, and 401 = 202 + 1. The best 


CHRISTIAN GOLDBACH (1690-1764) was born in KGnigsberg, Prussia (the city noted 
in mathematical circles for its famous bridge problem). He became professor of mathematics 
at the Imperial Academy of St. Petersburg in 1725. In 1728, Goldbach went to Moscow to 
tutor Tsarevich Peter II. In 1742, he entered the Russian Ministry of Foreign Affairs as a staff 
member. Goldbach is most noted for his correspondence with eminent mathematicians, in 


particular Leonhard Euler and Daniel Bernoulli. Besides his well-known conjectures that 
every even positive integer greater than 2 is the sum of two primes and that every odd 
positive integer greater than S is the sum of three primes, Goldbach made several notable 
contributions to analysis. 
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result known to date is that there are infinitely many integers n for which n? + 1 is 
either a prime or the product of two primes. This was shown by Henryk Iwaniec in 
1973. Conjectures such as the n? + 1 conjecture may be easy to state, but are sometimes 
extremely difficult to resolve (see [Ri96] for more information). 


We have discussed three of the four problems about primes described as “unattack- 
able by the present state of science” in 1912 by the famous number theorist Edmund 
Landau in his address at the International Congress of Mathematicians. These four prob- 
lems, known collectively as Landau’s problems, are Goldbach’s conjecture, the twin 
prime conjecture, the existence of infinitely many primes of the form n? + 1, and this 
conjecture of Legendre: 


The Legendre Conjecture. There is a prime between every two pairs of consecutive 
squares of integers. 


Pentium Chip Flaw 

The story behind the Pentium chip flaw encountered by Thomas Nicely shows that answers 
produced by computers should not always be trusted. A surprising number of hardware and 
software problems arise that lead to incorrect computational results. This story also shows 
that companies risk serious problems when they hide errors in their products. In June 1994, 
testers at Intel discovered that Pentium chips did not always carry out computations cor- 
rectly. However, Intel decided not to make public information about this problem. Instead, 
they concluded that because the error would not affect many users, it was unnecessary to 
alert the millions of owners of Pentium computers. The Pentium flaw involved an incor- 
rect implementation of an algorithm for floating-point division. Although the probability 
is low that divisions of numbers affected by this error come up in a computation, such di- 
visions arise in many computations in mathematics, science, and engineering, and even in 
spreadsheets running business applications. 

Later in that same month, Nicely came up with two different results when he used a 
Pentium computer to compute Brun’s constant in different ways. In October 1994, after 
checking all possible sources of computational error, Nicely contacted Intel customer sup- 
port. They duplicated his computations and verified the existence of an error. Furthermore, 
they told him that this error had not been previously reported. After not hearing any addi- 
tional information from Intel, Nicely sent e-mail to a few people telling them about this. 
These people forwarded the message to other interested parties, and within a few days, in- 
formation about the bug was posted on an Internet newsgroup. By late November, this story 
was reported by CNN, the New York Times, and the Associated Press. 

Surprised by the bad publicity, Intel offered to replace Pentium chips, but only for users 
running applications determined by Intel to be vulnerable to the Pentium division flaw. This 
offer did not mollify the Pentium user community. All the bad publicity drove Intel stock 
down several dollars a share and Intel became the object of many jokes, such as: “At Intel, 
quality is job 0.999999998.” Finally, in December 1994, Intel decided to offer a replacement 
Pentium chip upon request. They set aside almost half a billion dollars to cover costs, and 
they hired hundreds of extra employees to handle customer requests. Nevertheless, this story 
does have a happy ending for Intel. Their corrected and improved version of the Pentium 
chip was extremely successful. 
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This conjecture was proposed by the French mathematician Adrien-Marie Legendre 
(see Chapter 11 for his biography). Numerical evidence for this conjecture shows that 
there is a prime between n? and (n + 1)? for all n < 10!8. Note that Ingham has shown 
that for sufficiently large n, there is a prime between n? and (n + 1). 


Although all four unsettled conjectures described by Landau in 1912 remain open, 
partial progress has been made on each. We may see one or more of them settled in the 
next few years. However, it may still be the case that all remain unsettled a century from 
now. 


EXERCISES 


. Find the smallest five consecutive composite integers. 
. Find one million consecutive composite integers. 


. Show that there are no “prime triplets,” that is, primes p, p + 2, and p + 4, other than 3, 5, 


and 7. 


4. Find the smallest four sets of prime triplets of the form p, p + 2, p + 6. 


. Find the smallest four sets of prime triplets of the form p, p + 4, p + 6. 


. Find the smallest prime between n and 2n for these values of n. 


a) 3 b)5 c) 19 d) 31 


. Find the smallest prime between n and 2n for these values of n. 


a) 4 b) 6 c) 23 d) 47 


. Find the smallest prime between n? and (n + 1)? for all positive integers n with n < 10. 


9. Find the smallest prime between n? and (n + 1)? for all positive integers n with 11 <n < 20. 
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1 

2 

3 

5 

6 

7 

8 

* 10 

* 11 


12. 


13. 


14. 
15. 


16. 


. Show that there are infinitely many primes that are not one of the primes in a pair of twin 


primes. (Hint: Apply Dirichlet’s theorem.) 


. Show that there are infinitely many primes that are not part of a prime triple of the form p, 


p+2, p + 6. (Hint: Apply Dirichlet’s theorem.) 


Verify Goldbach’s conjecture for each of the following values of n. 
a) 50 c) 102 e) 200 
b) 98 d) 144 £):222 


Goldbach also conjectured that every odd positive integer greater than 5 is the sum of three 
primes. Verify this conjecture for each of the following odd integers. 

a) 7 c) 27 e) 101 

b) 17 d) 97 f) 199 


Show that every integer greater than 11 is the sum of two composite integers. 


Show that Goldbach’s conjecture that every even integer greater than 2 is the sum of two 
primes is equivalent to the conjecture that every integer greater than 5 is the sum of three 
primes. 


Let G(n) denote the number of ways to write the even integer n as the sum p + q, where p 
and gq are primes with p < q. Goldbach’s conjecture asserts that G(n) > 1 for all even integers 


* 


17. 
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n with n > 2. A stronger conjecture asserts that G(n) tends to infinity as the even integer n 
grows without bound. 


a) Find G(n) for all even integers n with 4 <n < 30. 
b) Find G(158). c) Find G(188). 


Show that if n and k are positive integers with n > 1 and all n positive integers a, a + 
k,...,a+(n — 1)k are odd primes, then k is divisible by every prime less than n. 


Use Exercise 17 to help you solve Exercises 18-21. 


18. 


19. 


20. 


21. 


22. 


23. 


29. 


30. 


Find an arithmetic progression of length six that begins with the integer 7 and where every 
term is a prime. 


Find the smallest possible minimum difference for an arithmetic progression that contains 
four terms and where every term is a prime. 


Find the smallest possible minimum difference for an arithmetic progression that contains 
five terms and where every term is a prime. 


Find the smallest possible minimum difference for an arithmetic progression that contains 
six terms and where every term is a prime. 


a) In 1848, A. de Polignac conjectured that every odd positive integer is the sum of a 
prime and a power of two. Show that this conjecture is false by showing that 509 is a 
counterexample. 


b) Find the next smallest counterexample after 509. 


A prime power is an integer of the form p”, where p is prime and n is a positive integer greater 
than 1. Find all pairs of prime powers that differ by 1. Prove that your answer is correct. 


. Letn be a positive integer greater than 1 and let p;, p2, . . . ,p, be the primes not exceeding 


n. Show that p|p2--+ p; < 4". 


. Letn be a positive integer greater than 3 and let p be a prime such that 2n/3 < p <n. Show 


that p does not divide the binomial coefficient 2 ). 


. Use Exercises 24 and 25 to show that if n is a positive integer, then there exists a prime p 


such that n < p < 2n. (This is Bertrand’s conjecture.) 


. Use Exercise 26 to show that if p, is the nth prime, then p, < 2”. 


. Use Bertrand’s conjecture to show that every positive integer n with n > 7 is the sum of 


distinct primes. 


Use Bertrand’s postulate to show that 1 + i poeees oe + does not equal an integer when 
n and m are positive integers. 


In this exercise, we show that if n is an integer with n > 4, then Pn41 < P1P2--- P,, where 

p; is the kth prime. This result is known as Bonse’s inequality. 

a) Let k be a positive integer. Show that none of the integers p,pz--- px_;- 1-1, 
P1P2°°* Pe-1°2—-1, ---, Dip2-+* Pe-1° De — 1 is divisible by one of the first k — 1 
primes and that if a prime p divides one of these integers, then it cannot divide another 
of these integers. 

b) Conclude from part (a) that ifn — k + 1 < p,, then there is an integer among those listed 
in part (a) not divisible by p; for j = 1, ..., n. (Hint: Use the pigeonhole principle.) 

c) Use part (b) to show that ifn — k + 1< p,, then p,., < pjp2°*+ Py. Fix n and suppose 
that k is the least positive integer such that n — k + 1 < px. Show thatn —k > py_, —2 
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31. 


32. 


33. 


34. 


35. 
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and that p,_; — 2 > k when k > 5 and that if n > 10, then k > 5. Conclude that if n > 20, 
then Pi41) < P2P2° ++ Py for some k with n — k > k. Use this to derive Bonse’s inequality 
when n > 10. 


d) Check the cases when 4 <n < 10 to finish the proof. 


Show that 30 is the largest integer n with the property that if k < n and there is no prime p 
that divides both k and n, then k is prime. (Hint: Show that if n has this property and n > p* 
where p is prime, then p | n. Conclude that if n > 7, then n must be divisible by 2, 3, 5, 
and 7. Apply Bonse’s inequality to show that such an n must be divisible by every prime, a 
contradiction. Show that 30 has the desired property, but no n with 30 < n < 49 does.) 


Show that Py41Pn42< P1* P2*** Py, where p, is the kth prime whenever n is an integer with 
n > 4. (Hint: Use Bertrand’s postulate and the work done in part (c) of the proof of Bonse’s 
inequality.) 

Show that p? < Pn—1Pn—2Pn—3» Where p, is the kth prime number and n > 6. Also, show 
that inequality does not hold when n = 3, 4, or 5. (Hint: Use Bertrand’s postulate to obtain 
Pn < 2Pn-1 and Pn-1< 2Pn—2:) 

Show that for every positive integer N there is an even number K so that there are more than 
N pairs of successive primes such that K is the difference between these successive primes. 
(Hint: Use the prime number theorem.) 


Use Corollary 3.4.1 to estimate the millionth prime. 


Computations and Explorations 


oN nw fk WO NY 


11. 


12. 


. Verify as much of the information given in Table 3.1 as you can. 

. Find as many terms as you can of the sequence of prime gaps d,,n=1,2,.... 

. Find as many tuples of primes of the form p, p + 2, and p + 6as you can. 

. Verify Goldbach’s conjecture for all even positive integers less than 10,000. 

. Find all twin primes less than 10,000. 

. Find the first pair of twin primes greater than each of the integers in Computation 1. 

. Plot 22(x), the number of twin primes not exceeding x, for 1 < x < 1000 and 1 < x < 10,000. 


. Hardy and Littlewood conjectured that (x), the number of twin primes not exceeding x, 


is asymptotic to 2C>x/(log x)” where C, =] poa( ~ op): The constant C, is approx- 
imately equal to 0.66016. Determine how accurate this asymptotic formula for 72(x) is for 
values of x as large as you can compute. 


. Compute Brun’s constant with as much accuracy as possible. 
10. 


Explore the conjecture that G(n), the number of ways the even integer n is the sum p + q, 
of primes p < q, satisfies G(n) > 10 for all even integers n > 188. 


An unsettled conjecture asserts that for every positive integer n, there is an arithmetic pro- 
gression of length n consisting of n consecutive prime numbers. The longest such arithmetic 
progression currently known consists of 22 consecutive primes. Find arithmetic progressions 
consisting of three consecutive primes with all primes less than 100 and four consecutive 
primes with all primes less than 500. 


Show that all terms of the arithmetic progression of length five that begins with 1,464,481 
and has common difference 210 are prime. 


13. 


14. 
15. 


16. 
17. 
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Show that all terms of the arithmetic progression of length twelve that begins with 23,143 
and has common difference 30,030 are prime. 


Find an arithmetic progression containing ten primes that begins with 199. 


Andrica’s conjecture, named after Dorin Adrica, claims that A, = ./Pn+1 — ./Pn < 1 for all 
positive integers n, where p,, denotes the nth prime. Gather evidence for this conjecture by 
computing A,, for as many positive integers n as you can. From your work, make a conjecture 
about the largest value of A,,. 


Verify Legendre’s conjecture for n = 1000, n = 10,000, n = 100,000, and n = 1,000,000. 


Explore the conjecture that every even integer is the sum of two, not necessarily distinct, 
lucky numbers. Continue by exploring the conjecture that given a positive integer k, there is 
a positive integer n that can be expressed as the sum of two lucky numbers in exactly k ways. 


Programming Projects 


1. 
2. 
3. 


4. 


5. 


3.3 


Given a positive integer n, verify Goldbach’s conjecture for all even integers less than n. 
Given a positive integer 1, find all twin primes less than n. 


Given a positive integer m, find the first m primes of the form n? + 1, where n is a positive 
integer. 


Given an even positive integer n, find G(n), the number of ways to write n as the sum p + q, 
where p and gq are primes with p < q. 

Given a positive integer n, find as many arithmetic progressions of length n, where every 
term is a prime. 


Greatest Common Divisors and their Properties 


We introduced the concept of the greatest common divisor of two integers in Section 1.5. 
Recall that the greatest common divisor of two integers a and b not both 0, denoted by 
(a, b), is the largest integer that divides both a and b. We also specified that (0, 0) = 0 to 
ensure that results we prove about greatest common divisors hold in all cases. In Section 
1.5, we stated that two integers are called relatively prime if they share no common 
divisor greater than 1. 


Note that since the divisors of —a are the same as the divisors of a, it follows that 
(a, b) = (al, |b|) (where |a| denotes the absolute value of a, which equals a if a > 0 
and —a if a < 0). Hence, we can restrict our attention to the greatest common divisors 
of pairs of positive integers. 


In Example 1.37, we noted that (15, 81) = 3. If we divide 15 and 81 by (15, 81) = 3, 
we obtain two relatively prime integers, 5 and 27. This is no surprise, because we have 
removed all common factors. This illustrates the following theorem, which tells us that 
we obtain two relatively prime integers when we divide each of two original integers by 
their greatest common divisor. 
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Theorem 3.6. Ifa and b be integers with (a, b) = d, then (a/d, b/d) = 1. (In other 
words, a/d and b/d are relatively prime.) 


Proof. Leta and b be integers with (a, b) = d. We will show that a/d and b/d have 
no common positive divisors other than 1. Assume that e is a positive integer such that 
e | (a/d) and e | (b/d). Then there are integers k and / with a/d = ke and b/d =le, 
so that a = dek and b = del. Hence, de is a common divisor of a and b. Because d 
is the greatest common divisor of a and b, de < d, so that e must be 1. Consequently, 
(a/d, b/d) =1. = 


A fraction p/q where (p, q) = 1is said to be in lowest terms. The following corollary 
tells us that every fraction equals a fraction in lowest terms. 


Corollary 3.6.1. Ifa and b #0 are integers, then a/b = p/q for some integers p and 
q #0 where (p, q) = 1. 7 


Proof. Suppose that a and b £ 0 are integers. Set p =a/d and q = b/d where d = 
(a, b). Then p/q = (a/d)/(b/d) = a/b. Theorem 3.6 tells us that (p, g) = 1, proving 
the corollary. 


We do not change the greatest common divisor of two integers when we add a 
multiple of one of the integers to the other. In Example 3.6, we showed that (24, 84) = 12. 
When we add any multiple of 24 to 84, the greatest common divisor of 24 and the resulting 
number is still 12. For example, since 2 - 24 = 48 and (—3) - 24 = —72, we see that 
(24, 84 + 48) = (24, 132) = 12 and (24, 84 + (—72)) = (24, 12) = 12. The reason for 
this is that the common divisors of 24 and 84 are the same as the common divisors of 
24 and the integer that results when a multiple of 24 is added to 84. The proof of the 
following theorem justifies this reasoning. 


Theorem 3.7. Leta, b, and c be integers. Then (a + cb, b) = (a, b). 


Proof. Let a, b, and c be integers. We will show that the common divisors of a and 
b are exactly the same as the common divisors of a + cb and b. This will show that 
(a + cb, b) = (a, b). Let e be acommon divisor of a and b. By Theorem 1.9, we see that 
e | (a +cb), so that e is acommon divisor of a + cb and b. If f is a common divisor of 
a+cb and b, then by Theorem 1.9, we see that f divides (a + cb) — cb =a, so that f 
is acommon divisor of a and b. Hence, (a + cb, b) = (a, b). a 


We will show that the greatest common divisor of the integers a and b, not both 0, 
can be written as a sum of multiples of a and b. To phrase this more succinctly, we use 
the following definition. 


Definition. Ifa and b are integers, then a linear combination of a and b is a sum of 
the form ma + nb, where both m and n are integers. 


Example 3.7. What are the linear combinations 9m + 15n, where m and n are both in- 
tegers? Among these combinations are —6 = 1-9 + (—1) - 15; —-3 = (—2)9+ 1- 15;0= 
0-9+0-15;3=2-9+ (—1) - 15;6 = (—1) -9+ 1- 15; and so on. It can be shown that 
the set of all linear combinations of 9 and 15 is the set {..., —12, —9, —6, —3, 0, 3, 6, 9, 
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12, ...}, as the reader should verify after reading the proofs of the following two theo- 
rems. < 


In Example 3.8, we found that (9, 15) = 3 appears as the smallest positive linear 
combination with integer coefficients of 9 and 15. This is no accident, as the following 
theorem demonstrates. 


Theorem 3.8. The greatest common divisor of the integers a and b, not both 0, is the 
least positive integer that is a linear combination of a and b. 


Proof. Letd be the least positive integer that is a linear combination of a and b. (There 
is a least such positive integer, using the well-ordering property, since at least one of two 
linear combinations 1-a + 0-b and (—l)a + 0- b, wherea £0, is positive.) We write 


(3.1) d=ma+tnb, 
where m and n are integers. We will show that d | a and d | b. 
By the division algorithm, we have 
a=dq+r, O<r<d. 
From this equation and (3.1), we see that 
r=a—dq=a-—q(ma-+nb) =(1—qm)a — qnb. 


This shows that the integer r is a linear combination of a and b. Because 0 < r < d, and 
d is the least positive linear combination of a and b, we conclude that r = 0, and hence 
d | a. Ina similar manner, we can show that d | b. 


We have shown that d, the least positive integer that is a linear combination of 
a and b, is a common divisor of a and b. What remains to be shown is that it is the 
greatest common divisor of a and b. To show this, all we need show is that any common 
divisor c of a and b must divide d, since any proper positive divisor of d is less than d. 
Because d = ma + nb, if c|a and c | b, Theorem 1.9 tells us that c | d, so that d > c. 
This concludes the proof. | 


From Theorem 3.8, we immediately see that the greatest common divisor of two 
integers a and b can be written as a linear combination of these integers. (Note that 
the theorem tells us not only that (a, b) can be written as a linear combination of these 
numbers, but also that it is the least such positive integer. Because this is such an important 
fact, we state it explicitly as a corollary. 


Corollary 3.8.1 Bezout’s Theorem. If a and b are integers, then there are integers m 
and n such that ma + nb = (a, b). 


Corollary 3.8.1 is called Bezout’s theorem after Etienne Bézout, a French mathe- 
matician of the eighteenth century who proved a more general result about polynomials. 
Even though this corollary is known as Bezout’s theorem, it had been established for in- 
tegers many years earlier by Claude Gaspar Bachet (see Chapter 13 for his biography). 
The equation ma + nb = (a, b) is known as Bezout’s identity, and any integers m and n 
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that solve this equation for given integers a and b are called Bezout coefficients or Bezout 
numbers of the pair of integers a and b. 


Example 3.8. Note that (4, 10) = 2 because 1 and 2 are the only positive common 
divisors of 4 and 10. The equation (—2) -4 + 1- 10 = 2 shows that —2 and 1 are Bezout 
coefficients of 4 and 10. Because 8 - 4+ (—3) - 10 =2, we see that 8 and —3 are also 
Bezout coefficients of 4 and 10. In fact, there are infinitely many different Bezout 
coefficients for 4 and 10 because —2 + 10¢ and 1+ (—4)t are Bezout coefficients of 
4 and 10 for every integer t. < 


Because we will often need to apply Corollary 3.8.1 in the case where a and b 
are relatively prime integers, we call out this special case as a second corollary of 
Theorem 3.8. 


Corollary 3.8.2. The integers a and b are relatively prime integers if and only if there 
are integers m and n such that ma + nb = 1. 


Proof. To prove this corollary, note that if a and b are relatively prime, then (a, b) = 1. 
Consequently, by Theorem 3.8, 1 is the least positive integer that is a linear combination 
of a and D. It follows that there are integers m and n such that ma + nb = 1. Conversely, 
if there are integers m and n with ma + nb = 1, then by Theorem 3.8, it immediately 


ETIENNE BEZOUT (1730-1783) was born in Nemours, France, where his fa- 
ther was a magistrate. His parents wanted him to follow in his father’s footsteps. 
However, he was enticed to become a mathematician by reading the writings of 
the great mathematician Leonhard Euler. Bézout published a series of research 
papers beginning in 1756, including several on integration. In 1758, he was ap- 
pointed to a position at the Académie des Sciences in Paris; in 1763, he was 
appointed examiner of the Gardes de la Marine, where he was assigned the task 
of writing mathematics textbooks. This assignment lead to a four-volume text- 
book completed in 1767. In 1768, Bézout was appointed examiner of the Corps d’ Artillerie; he was 
promoted to higher positions in 1768 and in 1770. He is well known for his six-volume comprehen- 
sive textbook on mathematics published between 1770 and 1782. Bézout’s textbooks were extremely 
popular. In particular, his textbooks were studied by several generations of students who hoped to 
enter the Ecole Polytechnique, the famous engineering and science school founded in 1794. These 
books were translated into English and used in North America, including at Harvard. 

His most important original work was published in 1779 in the book Théorie générale des 
equations algebriques, where he introduced important methods for solving simultaneous polynomial 
equations in many unknowns. The most well-known result in this book is now called Bézout’s 
Theorem, which in its general form tells us that the number of common points on two-plane algebraic 
curves equals the product of the degrees of these curves. Bézout is also credited with inventing 
the determinant (which was called the Bezoutian by the great English mathematician James Joseph 
Sylvester). 

Bezout was considered to be a Jind person with a warn heart, although he had a reserved and 
somber personality. He was happily married and a father. 
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follows that (a, b) = 1. This follows because not both a and b are zero and 1 is clearly 
the least positive integer that is a linear combination of a and b. 7 


Theorem 3.8 is valuable: We can obtain results about the greatest common divisor 
of two integers using the fact that the greatest common divisor is the least positive linear 
combination of these integers. Having different representations of the greatest common 
divisor of two integers allows us to choose the one that is most useful for a particular 
purpose. This is illustrated in the proof of the following theorem. 


Theorem 3.9. If a and b are positive integers, then the set of linear combinations of a 
and b is the set of integer multiples of (a, b). 


Proof. Suppose that d = (a, b). We first show that every linear combination of a and b 
must also be a multiple of d. First note that by the definition of greatest common divisor, 
we know that d | a and d | b. Now every linear combination of a and b is of the form 
ma + nb, where m and n are integers. By Theorem 1.9, it follows that whenever m and 
m are integers, d divides ma + nb. That is, ma + nb is a multiple of d. 


We now show that every multiple of d is also a linear combination of a and b. By 
Theorem 3.8, we know that there are integers r and s such that (a, b) =ra+sb. The 
mulwuples of d are the integers of the form jd, where j is an integer. Multiplying both 
sides of the equation d = ra + sb by j, we see that jd = (jr)a + (js)b. Consequently, 
every multiple of d is a linear combination of a and b. This completes the proof. rT 


We have defined greatest common divisors using the notion that the integers are 
ordered. That is, given two distinct integers, one is larger than the other. However, we 
can define the greatest common divisor of two integers without relying on this notion of 
order, as we do in Theorem 3.10. This characterization of the greatest common divisor of 
two integers not depending on ordering is generalized in the study of algebraic number 
theory to apply to what are known as algebraic number fields. 


Theorem 3.10. If a and b are integers, not both 0, then a positive integer d is the 
greatest common divisor of a and b if and only if 


(i) d|aandd |b, and 


(ii) if c is an integer with c | a and c | b, thenc | d. 


Proof. We will first show that the greatest common divisor of a and b has these two 
properties. Suppose that d = (a, b). By the definition of common divisor, we know that 
d|aandd | b. By Theorem 3.8, we know that d = ma + nb, where m and n are integers. 
Consequently, if c | a and c | b, then by Theorem 1.9, c | d = ma + nb. We have now 
shown that if d = (a, b), then properties (i) and (ii) hold. 


Now assume that properties (i) and (ii) hold. Then we know that d is a common 
divisor of a and b. Furthermore, by property (ii), we know that if c is a common divisor 
of a and b, then c | d, so that d =ck for some integer k. Hence, c=d/k <d. (We 
have used the fact that a positive integer divided by any nonzero integer is less than that 
integer.) This shows that a positive integer satisfying (i) and (ii) must be the greatest 
common divisor of a and b. rT 
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Note that Theorem 3.10 tells us that the greatest common divisor of two integers a 
and b, not both 0, is the positive common divisor of these integers that is divisible by all 
other common divisors. 


We have shown that the greatest common divisor of a and b, not both 0, is a 
linear combination of a and b. However, we have not explained how to find a particular 
linear combination of a and b that equals (a, b). In the next section, we will provide an 
algorithm that finds a particular linear combination of a and b that equals (a, b). 


We can also define the greatest common divisor of more than two integers. 


Definition. Let a,, a>, ..., a, be integers, not all 0. The greatest common divisor of 
these integers is the largest integer that is a divisor of all of the integers in the set. The 
greatestcommon divisor of aj, az, ... , 2, is denoted by (a, az, ..., a,,). (Note that the 
order in which the a;’s appear does not affect the result.) 


Example 3.9. We easily see that (12, 18, 30) = 6 and (10, 15, 25) =5. < 


We can use the following lemma to find the greatest common divisor of a set of more 
than two integers. 


Lemma 3.2. If a), a),..., a, are integers, not all 0, then (a1, ay, ..., Ay_1, Ay) = 
(1, Az, ---5 An_2, (An_1, An))- 


Proof. Any common divisor of the n integers a), a, ..., A,_1, @, iS, in particular, a 
divisor of a,,_, and a,,, and therefore a divisor of (a,,_1, a,). Also, any common divisor 
of the n — 1 integers a1, ay, ..., @,_2, and (a,_1, a@,,) must be a common divisor of all 
n integers, for if it divides (a,_j, a,,), then it must divide both a,,_; and a,,. Because the 
set of n integers and the set of the first n — 2 integers together with the greatest common 
divisor of the last two integers have exactly the same divisors, their greatest common 
divisors are equal. | 


Example 3.10. To find the greatest common divisor of the three integers 105, 140, and 
350, we use Lemma 3.2 to see that (105, 140, 350) = (105, (140, 350)) = (105, 70) = 
35; < 


Example 3.11. Consider the integers 15, 21, and 35. We find that the greatest common 
divisor of these three integers is 1 using the following steps: 


(15, 21, 35) = (15, (21, 35)) = (15, 7) = 1. 


Each pair among these integers has acommon factor greater than 1, because (15, 21) = 3, 
(15, 35) =5, and (21, 35) = 7. < 


Example 3.11 motivates the following definition. 


Definition. We say that the integers aj, a2, ..., a, are mutually relatively prime if 
(aj, Qa, ..., a,) = 1. These integers are called pairwise relatively prime if, for each pair 


3.3 


17. 


18. 
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of integers a; and a ; withi 4 j from the set, (a;, a ) = 1; that is, if each pair of integers 
from the set is relatively prime. 


The concept of pairwise relatively prime is used much more often than the concept 
of mutually relatively prime. Also, note that pairwise relatively prime integers must be 
mutually relatively prime, but that the converse is false (as the integers 15, 21, and 35 in 
Example 3.11 show). 


EXERCISES 


. Find the greatest common divisor of each of the following pairs of integers. 


a) 15,35 c) —12, 18 e) 11, 121 
b) 0, 111 d) 99, 100 f) 100, 102 
. Find the greatest common divisor of each of the following pairs of integers. 
a) 5,15 c) —27, —45 e) 100, 121 
b) 0, 100 d) —90, 100 f) 1001, 289 


. Let a be a positive integer. What is the greatest common divisor of a and 2a? 
. Let a be a positive integer. What is the greatest common divisor of a and a”? 


. Let a be a positive integer. What is the greatest common divisor of a anda + 1? 


Let a be a positive integer. What is the greatest common divisor of a anda + 2? 


. Show that the greatest common divisor of two even numbers is even. 
. Show that the greatest common divisor of an even number and an odd number is odd. 


. Show that if a and b are integers, not both 0, and c is a nonzero integer, then (ca, cb) = 


Ic|(a, b). 


. Show that if a and b are integers with (a, b) = 1, then (a +b, a — b) = 1or?2. 

. What is (a7 + b?,a+ b), where a and b are relatively prime integers that are not both 0? 
. Show that if a and b are both even integers that are not both 0, then (a, b) = 2(a/2, b/2). 
. Show that if a is an even integer and b is an odd integer, then (a, b) = (a/2, b). 


. Show that ifa, b, and c are integers such that (a, b) = landc | (a+ b), then (c, a) = (c, b) = 


1. 


. Show that if a, b, and c are mutually relatively prime nonzero integers, then (a, bc) = 


(a, b)(a, c). 


. a) Show that if a, b, and c are integers with (a, b) = (a, c) = 1, then (a, bc) = 1. 


b) Use mathematical induction to show that if a), a2, . . . , a, are integers, and b is another 
integer such that (a;, b) = (ap, b) = -+- = (a,, b) = 1, then (aja, ---a,, b) = 1. 


Find a set of three integers that are mutually relatively prime, but any two of which are not 
relatively prime. Do not use examples from the text. 


Find four integers that are mutually relatively prime such that any three of these integers are 
not mutually relatively prime. 
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19. 


20. 


21. 


22. 


23. 


24. 
25. 
26. 
27. 
28. 
29. 


30. 
31. 
32. 
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Find the greatest common divisor of each of the following sets of integers. 
a) 8, 10, 12 c) 99, 9999, 0 e) —7, 28, —35 
b) 5, 25, 75 d) 6, 15, 21 f) 0, 0, 1001 


Find three mutually relatively prime integers from among the integers 66, 105, 42, 70, and 
165. 

Show that if a), a),..., a, are integers that are not all 0 and c is a positive integer, then 
(Cay, Caz, ..., CA) =C(Ay, AQ... , An). 

Show that the greatest common divisor of the integers a), a2, ..., a,, not all 0, is the least 
positive integer that is a linear combination of aj, a2, ..., Qn. 


Show that if k is an integer, then the integers 6k — 1, 6k + 1, 6k + 2, 6k + 3, and 6k + 5 are 
pairwise relatively prime. 


Show that if k is a positive integer, then 3k + 2 and 5k + 3 are relatively prime. 
Show that 8a + 3 and 5a + 2 are relatively prime for all integers a. 

Show that if k is a positive integer, then (6k + 7)/(3k + 4) is in lowest terms. 
Show that if k is a positive integer, then (15k + 4)/(10k + 3) is in lowest terms. 
Show that if a and b are relatively prime integers, then (a + 2b, 2a + b) = 1 or 3. 


Show that every positive integer greater than 6 is the sum of two relatively prime integers 
greater than 1. 


Show that if n is a positive integer, then (n + 1, n? —n + 1) = 1or3. 
Show that if n is a positive integer, then (2n? + 6n — 4, 2n? + 4n — 3) = 1. 
Show that if n is a positive integer, then (n? + 2, n+ 1) = 1,3, or 9. 


The Farey series F,, of order n, named after John Farey, is the set of fractions h/k, where h and 
k are integers, 0 < h <k <n, and (h, k) = 1, in ascending order. We include 0 and 1 in the forms 
0/1 and 1/1, respectively. For instance, the Farey series of order 4 is 


OTL. 4273-1 


ta So 3: a 


Exercises 33-37 deal with Farey series. 


33. 
34. 
35. 


36. 
37. 
38. 


Find the Farey series of order 5. 

Find the Farey series of order 7. 

Show that if a/b, c/d, and e/f are successive terms of a Farey series, then 
c at+e 


d b4+f’ 


Show that if a/b and c/d are successive terms of a Farey series, then ad — be = —1. 
Show that if a/b and c/d are successive terms of the Farey series of ordern, thenb +d >n. 


a) Show that if a and b are positive integers, then ((a” — b”)/(a — b), a — b) = (n(a, b)"—|, 
a—b). 

b) Show that if a and D are relatively prime positive integers, then 
((a" — b")/(a — b), a— b) = (n, a — bd). 


39. 


40. 


41. 


42. 


43. 


44. 


3.3 Greatest Common Divisors and their Properties 101 


Show that if a, b, c, and d are integers such that b and d are positive, (a, b) = (c, d) = 1, and 
% + { is an integer, then b= d. 


What can you conclude if a, b, and c are positive integers such that (a, b) = (b, c) = 1 and 
4 + i + 4 is an integer? 


Show that if a and b are positive integers, then (a, b) = 2 a7 [bi /a)|+a+b— ab. (Hint: 
Count the number of lattice points, that is, points with integer coordinates, inside or on the 
triangle with vertices (0, 0), (0, b), and (a, 0) in two different ways.) 


Show that if n is a positive integer and i and j are integers with 1<i < j <n, then 
(nt-iti,nl-j+D=1. 


Use Exercise 42 to show that there are infinitely many primes. (Hint: Assume that there are 
exactly r primes and consider the r + 1 numbers (r + 1)!-i+ 1fori=1,2,...,7+ 1. This 
proof was discovered by P. Schorn.) 


Show that if c and d are relatively prime positive integers, then the integers a;, j = 
0,1, 2,..., defined by ag =c and a, =aga,---a,_,+d forn =1,2,..., are pairwise 
relatively prime. 


JOHN FAREY (1766-1826) attended school in Woburn, England, until the age of 16. In 
1782, he entered a school in Halifax, Yorkshire, where he studied mathematics, drawing, 
and surveying. In 1790, he married, and his first son was born the following year. In 1792, 
the Duke of Bedford appointed Farey as land steward for his Woburn estates. Farey held 
this post until 1802, developing expertise in geology. When the duke died suddenly, the 
duke’s brother dismissed Farey, who went to London and established an extensive practice 
as a surveyor and geologist. 

Farey’s geologic work included studies of soils and strata in Derbyshire. He also 
produced a map of the strata visible between London and Brighton. Farey also produced 
extensive scientific writings, publishing around 60 articles in philosophical and scientific 
magazines. These articles address a wide range of topics, including geology, forestry, 
physics, and many other areas. 

Although he achieved moderate fame as a geologist, ironically Farey is remembered 
for a contribution to mathematics. In his four-paragraph 1816 article, “On a curious property 
of vulgar fractions,” Farey noted that a reduced fraction p/q with 0 < p/q <1landq <n 
equals the fraction whose numerator and denominator are the sum of the numerators and the 
sum of the denominators, respectively, of the fractions on either side of p/q when all reduced 
fractions between 0 and 1 with denominators not exceeding n are written in increasing order 
(see Exercise 27). Farey said he was unaware whether this property was already known. He 
also wrote that he did not have a proof. The French mathematician Cauchy read Farey’s 
article and proved this property in the book Exercises de mathématique, published in 1816. 
It was Cauchy who coined the name Farey series because he thought Farey was the first 
person to notice this property. 

Not surprisingly, Farey was not the first person to notice the property for which he 
became famous. In 1802, C. Haros wrote an article in which he approximates decimal 
fractions using common fractions, constructing the Farey sequence for n = 99. 
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Computations and Explorations 


1, Find (987654321, 123456789) and [987654321, 123456789]. 
2. Find (122333444455555, 666667777888990) and [12233344445555, 666667777888990]. 
3. Construct the Farey series of order 100. 


4. Verify the properties of the Farey series given in Exercises 27, 28, and 29 for successive terms 
of your choice in the Farey series of order 100. 


5. The number of Farey fractions of order n, |F,|, is asymptotic to 3n2/2. Explore how well 
this asymptotic formula approximates |F,,| for increasingly larger values of n. 


Programming Projects 


1. Given two positive integers m and n and their lists of positive divisors, find (m, 7). 
2. Given a positive integer n, list the Farey series of order n. 


3.4 The Euclidean Algorithm 


© 


We are going to develop a systematic method, or algorithm, to find the greatest common 
divisor of two positive integers. This method is called the Euclidean algorithm. It is 
named after the ancient Greek mathematician Euclid, who describes this algorithm in his 
Elements. (The same method for finding greatestcommon divisors was also described in 
the sixth century by the Indian mathematician Aryabhata, who called it “the pulverizer.”) 


Before we discuss the algorithm in general, we demonstrate its use with an example. 
We find the greatest common divisor of 30 and 72. First, we use the division algorithm 
to write 72 = 30- 2+ 12, and we use Theorem 3.7 to note that (30, 72) = (30, 72 — 
2 - 30) = (30, 12). Note that we have replaced 72 by the smaller number 12 in our 
computations because (72, 30) = (30, 12). Next, we use the division algorithm again to 
write 30 = 2 - 12 + 6. Using thesame reasoning as before, we see that (30, 12) = (12, 6). 


EUCLID (c. 350 B.c.£) was the author of the most successful mathematics 
textbook ever written, namely his Elements, which has appeared in over a 
thousand editions from ancient to modern times. Very little is known about 
Euclid’s life, other than that he taught at the famed academy at Alexandria. 
Evidently he did not stress the applications of mathematics, for it is reputed 
2g that when asked by a student for the use of geometry, Euclid had his slave give 
l, the student some coins, “because he must needs make gain of what he learns.” 

é Euclid’s Elements provides an introduction to plane and solid geometry, and to 


number thse The Euclidean algorithm is found in Book VII of the thirteen books in the Elements, 
and his proof of the infinitude of primes is found in Book IX. Euclid also wrote books on a variety of 
other topics, including astronomy, optics, music, and mechanics. 
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Because 12 = 6-2+ 0, we now see that (12, 6) = (6, 0) = 6. Consequently, we can 
conclude that (72, 30) = 6, without finding all the common divisors of 30 and 72. 


We now present the general form of the Euclidean algorithm for computing the 
greatest common divisor of two positive integers. 


Theorem 3.11. The Euclidean Algorithm. Let ro =a and r, = b be integers such 
that a > b > 0, If the division algorithm is successively applied to obtain r; = 7 j+419j+41 
+r j425 with 0 < rj42<Tj41 for j =0,1,2,...,n—2andr,,,=0, then (a, b) =1r,, 
the last nonzero remainder. | 


From this theorem, we see that the greatest common divisor of a and b is the last 
nonzero remainder in the sequence of equations generated by successively applying 
the division algorithm and continuing until a remainder is 0—where, at each step, the 
dividend and divisor are replaced by smaller numbers, namely, the divisor and remainder. 


To prove that the Euclidean algorithm produces greatest common divisors, the 
following lemma will be helpful. 


Lemma 3.3. If e and d are integers and e = dq +r, where g and r are integers, then 
(e,d)=(d,r). 


Proof. This lemma follows directly from Theorem 3.7, taking a =r,b=d,andc=q. 
= 


We now prove that the Euclidean algorithm produces the greatest common divisor 
of two integers. 


Proof. Letrp =a andr, = b be positive integers with a > b. By successively applying 
the division algorithm, we find that 


ARYABHATA (476-550) was born in Kusumapura (now Patna), India. He is the author 
of the Aryabhatiya, a summary of Hindu mathematics written entirely in verse. This book 
covers aswonomy, geometry, plane and spherical trigonometry, arithmetic, and algebra. 
Topics studied include formulas for areas and volumes, continued fractions, sums of power 
series, an approximation for 7, and tables of sines. Aryabhata also described a method for 
finding greatest common divisors that is the same as the method described by Euclid. His 


formulas for the areas of triangles and circles are correct, but those for the volumes of spheres 
and pyramids are wrong. Aryabhata also produced an astronomy text, Siddhanta, which 
includes a number of remarkably accurate statements (as well as other statements that are 
not correct). For example, he states that the orbits of the planets are ellipses, and he correctly 
describes the causes of solar and lunar eclipses. India named its first satellite, launched 
in 1975 by the Russians, Aryabhata, in recognition of his fundamental contributions to 
astronomy and mathematics. 
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TY =Nngt+n 0<m <n, 
TY =nqatrs3 0<73<17, 
rj—-2="j-19j-1 7; O<r, <7 5-4, 


Tn—4 = Tn—34n—3 + Tr—2 0 <1rp-2 <Tn—3 


Tn—3 =Vn-24n-2 t!n-1 OS Tn-1 <Tn-2 


Tn-2 =Tn-19n-1 + Tn O<1rp <Tn-1; 

Tn—1 = TnQn- 
We can assume that we eventually obtain a remainder of zero, because the sequence 
of remainders a = 79 > 7, > r2 > --- > 0 cannot contain more than a terms (because 
each remainder is an integer). By Lemma 3.3, we see that (a, b) = (70, 71) = (1, '2) = 
(72,73) =- ++ = (Tp_-3, Mn_2) = Tn_-2 Th_-D = (Tn—1 Tn) = (Tn, 0) = r,. Hence, (a, b) = 
r,, the last nonzero remainder. Pl 


We illustrate the use of the Euclidean algorithm with the following example. 


Example 3.12. The steps used by the Euclidean algorithm to find (252, 198) are 
252 = 1-198 + 54 


198 = 3-54 +4 36 
54=1-36+ 18 
36=2:- 18. 


We summarize these steps in the following table: 
J} Vy ya. Vai Tj42 
QO | 252 198 1 54 
1 198 54 3 36 
2 54 36 1 18 
3 36 18 2 ) 


The last nonzero remainder (found in the next-to-last row in the last column) is the 
greatest common divisor of 252 and 198. Hence, (252, 198) = 18. < 


The Euclidean algorithm is an extremely fast way to find greatest common divisors. 


Later, we will see this when we estimate the maximum number of divisions used 
by the Euclidean algorithm to find the greatest common divisor of two positive integers. 
However, we first show that, given any positive integer n, there are integers a and b such 
that exactly n divisions are required to find (a, b) using the Euclidean algorithm. We can 
find such numbers by taking successive terms of the Fibonacci sequence. 


The reason that the Euclidean algorithm operates so slowly when it finds the greatest 
common divisor of successive Fibonacci numbers is that the quotient in all but the last 
step is 1, as illustrated in the following example. 
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Example 3.13. We apply the Euclidean algorithm to find (34, 55). Note that fg = 34 
and fig = 55. We have 


55 = 34-1421 
34=21-1+13 
21=13-1+8 
13=8-1+5 
8=5-1+3 
5=3-142 
3=2-1+1 
2=1-2. 


Observe that when the Euclidean algorithm is used to find the greatest common divisor of 
fo = 34 and fp = 5S, a total of eight divisions are required. Furthermore, (34, 55) = 1, 
because 1 is the last nonzero remainder. < 


The following theorem tells us how many divisions are used by the Euclidean 
algorithm to find the greatest common divisor of successive Fibonacci numbers. 


Theorem 3.12. Let f,,; and f,,,2 be successive terms of the Fibonacci sequence, 
with n > 1. Then the Euclidean algorithm takes exactly n divisions to show that 


(fnti> fn42) =1. 


Proof. Applying the Euclidean algorithm, and using the defining relation for the Fibo- 
nacci numbers f; = f;_1 + fj—2 in each step, we see that 


Sn+2 = In+1 ‘ 1+ Le 
| Pe te Re es oe Fe 


ha felt: 


fs = fn +2. 
Hence, the Euclidean algorithm takes exactly n divisions, to show that (f,49, fn41) = 
f 2= 1. a 


The Complexity of the Euclidean Algorithm We can now prove a theorem first 
proved by Gabriel Lamé, a French mathematician of the nineteenth century, which gives 
an estimate for the number of divisions needed to find the greatest common divisor using 
the Euclidean algorithm. 


Theorem 3.13. Lamé’s Theorem. Thenumber of divisions needed to find the greatest 
common divisor of two positive integers using the Euclidean algorithm does not exceed 
five times the number of decimal digits in the smaller of the two integers. 


Proof. When we apply the Euclidean algorithm to find the greatest common divisor of 
a =F and b =r, with a > b, we obtain the following sequence of equations: 
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Yo ="igitra 0<7r <r, 
r\ =19q2+ 13; 0<7r3<7ro, 
Tn-2 =!n—19n-1 tT ns O<7r, <Fy_15 
Tr-1 =!'nQn:- 


We have used n divisions. We note that each of the quotients q), 92, .--, Qn—1 = 1, and 
Qn = 2, because 7, < 7,1. Therefore, 
r, 2 l= fa; 
Ta-1 2 Wy 2 2 fr = fr, 
Tr22%-1t+m2ft+h=fa 
Tr-32Tn-a tri 2 fa t+ f= Ss, 


r2273+142 frit fr2= Sn 
b=r 272-732 fat Sr-1= Inti 
Thus, for there to be n divisions used in the Euclidean algorithm, we must have b > f,,.4. 


By Example 1.28, we know that f,;, > a”! for n > 2, where a = (1+ +/5)/2. Hence, 
b > a:"—!, Now, because log;g a > 1/5, we see that 


logip 5 > (n — 1) logig a > (n — 1)/5. 
Consequently, 
a= 1<5-logig bd. 


Let b have k decimal digits, so that b < 10* and log;9 5 < k. Hence, we see that 
n — 1 < 5k, and because k is an integer, we can conclude that n < 5k. This establishes 
Lamé’s theorem. | 


The following result is a consequence of Lamé’s theorem. It tells us that the Eu- 
clidean algorithm is very efficient. 


Corollary 3.13.1. The greatest common divisor of two positive integers a and b with 
a > bcan be found using O((log, a)>) bit operations. 


GABRIEL LAME (1795-1870) was a graduate of the Ecole Polytechnique. 
A civil and railway engineer, he advanced the mathematical theory of elasticity 
and invented curvilinear coordinates. Although his main contributions were to 
mathematical physics, he made several discoveries in number theory, including 
the estimate of the number of steps required by the Euclidean algorithm, and 
the proof that Fermat’s last theorem holds for n =7 (see Section 13.2). It 
is interesting to note that Gauss considered Lamé to be the foremost French 
mathematician of his time. 
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Proof. We know from Lamé’s theorem that O(log, a) divisions, each taking 
O((log, a)?) bit operations, are needed to find (a, b). Hence, by Theorem 2.3, (a, b) 
may be found using a total of O((log, a)*) bit operations. : 


Expressing Greatest Common Divisors—As Linear Combinations The Eu- 
clidean algorithm can be used to express the greatest common divisor of two integers as 
a linear combination of these integers. We illustrate this by expressing (252, 198) = 18 
as a linear combination of 252 and 198. Referring to the steps of the Euclidean algorithm 
used to find (252, 198), by the next to the last step we see that 


18 =54 —-1- 36. 

By the preceding step, it follows that 

36 = 198 — 3-54, 
which implies that 

18 = 54 — 1- (198 — 3-54) =4-54—-1- 198. 

Likewise, by the first step, we have 

54 = 252 — 1- 198, 
so that 

18 = 4(252 — 1-198) — 1-198 =4- 252 —5- 198. 

This last equation exhibits 18 = (252, 198) as a linear combination of 252 and 198. 


In general, to see how d = (a, b) may be expressed as a linear combination of a and 
b, refer to the series of equations that is generated by the Euclidean algorithm. By the 
penultimate equation, we have 
rn = (a, b) = Tn—2 — 'n-19n-1: 


This expresses (a, b) as a linear combination of 7, and r,_;. The second to the last 
equation can be used to express 7,1 aS Tn_3 — Tn—-24n—2- Using this last equation to 
eliminate 7,,_ ; in the previous expression for (a, b), we find that 
ln—1 =ln-3 — Tn-29n-2» 
so that 
(a, b) =1rn_2 — Tn—3 — Tn—-29n-2) 9n-1 
= (1+ Gn—19n-2)"n—2 — In—1" n—3» 


which expresses (a, b) as a linear combination of r,,_» and r,,_3. We continue working 
backward through the steps of the Euclidean algorithm to express (a, b) as a linear 
combination of each preceding pair of remainders, until we have found (a, b) as a linear 
combination of r9 = a and r, = b. Specifically, if we have found at a particular stage that 


(a, b) = ST; 3 tr j_1, 
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then, because 


rj =lj—-2—Tj-19j-1 
we have 
(a, b) = s(rj-2 — rj-19j-1) + trj-1 
= (t — sqj_y)rj-1 + $7j_-2. 
This shows how to move up through the equations that are generated by the Euclidean 


algorithm so that, at each step, the greatest common divisor of a and b may be expressed 
as a linear combination of a and b. 


This method for expressing (a, b) as a linear combination of a and b is somewhat 
inconvenient for calculation, because it is necessary to work out the steps of the Euclidean 
algorithm, save all these steps, and then proceed backward through the steps to write 
(a, b) as a linear combination of each successive pair of remainders. There is another 
method for finding (a, b) that requires working through the steps of the Euclidean 
algorithm only once. The following theorem gives this method, which is called the 
extended Euclidean algorithm. 


Theorem 3.14. Let a and b be positive integers. Then 
(a,b) =s,a + t,b, 


where s, and ¢, are the nth terms of the sequences defined recursively by 


and 


Soe Geet tye at aja 


for j = 2, 3,...,”, where the qg j are the quotients in the divisions of the Euclidean 
algorithm when it is used to find (a, b). 


Proof. We will prove that 


(3.2) rj = 5;4a +t;b 


for j =0, 1, ...,”. Because (a, b) =7,,, once we have established (3.2), we will know 
that 


(a,b) =s,a+1,b. 
We prove (3.2) using the second principle of mathematical induction. For j = 0, 


we have a=7rp=1-a+0-b= 50a + fob. Hence, (3.2) is valid for j = 0. Likewise, 
b=r,=0-a+1-b=s,a + t,b, so that (3.2) is valid for j = 1. 


Now we assume that 


rj=sja+tjb 
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for j = 1, 2,...,k — 1. Then, from the kth step of the Euclidean algorithm, we have 
Tk = Tk-2 — Tk-19k-1- 
Using the induction hypothesis, we find that 
Ty = (SpA + ty_ab) — (Se—1a + th-15) aK-1 
= (Spo — Sp—19x-1) 4 + (2 — te-19K-B 
= 5,a + tb. 
This finishes the proof. 7 


The following example illustrates the use of this algorithm for expressing (a, b) as 
a linear combination of a and b. 


Example 3.14. We summarize the steps used by the extended Euclidean algorithm to 
express (252, 198) as a linear combination of 252 and 198 in the following table. 


Jo] ory yar Opa Tyo 8) tj 
0 252 198 1 54 1 O 
1 198 54 3 36 0 1 
2 54 36 1 18 1-1 
3 36 «618 2 Oo —-3 4 
4 4-5 


The values of s : and t jp J =9, 1, 2, 3, 4, are computed as follows: 


So= 1, to = 0, 
s,;=0, RHA, 
52 = 5) — 919, =1—-0-1=1, ty = — hq, =O-1-1=—-1, 


$3 = 8, — 89q2 =0-1-3=-3, k=t —tbqg=1-(-)3=4, 
54 = 8S. — $3q3 = 1 —(—3)- 1=4, ty = ty — hq, = —-1-4- 1=—5S. 
Because r4 = 18 = (252, 198) and r4 = sya + t4b, we have 


18 = (252, 198) = 4-252 —5- 198. < 


Note that the greatest common divisor of two integers, not both 0, may be expressed 
as a linear combination of these integers in an infinite number of ways. In other words, 
there are infinitely many pairs of Bezout coefficients for every pair integers, not both 
zero. To see this, let d = (a, b) and let d = sa + tb be one way to write d as a linear 
combination of a and b, so that s and t are Bezout coefficients for a and b, guaranteed 
to exist by the previous discussion. Then for all integers k, s + k(b/d) and t — k(a/d) 
are also Bezout coefficients for a and b because 


d=(s +k(b/d))a + (t — k(a/d))b. 


Example 3.15. Witha = 252 andb = 198, we have 18 = (252, 198) = (4+ 11k)252 + 
(—5 — 14k) 198 for any integer k. < 
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3.4 EXERCISES 


1. Use the Euclidean algorithm to find each of the following greatest common divisors. 


a) (45, 75) b) (102, 222) Cc) (666, 1414) d) (20785, 44350) 
2. Use the Euclidean algorithm to find each of the following greatest common divisors. 
a) (51, 87) b) (105, 300) c) (981, 1234) d) (34709, 100313) 


3. For each pair of integers in Exercise 1, express the greatest common divisor of the integers 
as a linear combination of these integers. 


4. For each pair of integers in Exercise 2, express the greatest common divisor of the integers 
as a linear combination of these integers. 


5. Find the greatest common divisor of each of the following sets of integers. 
a) 6, 10, 15 b) 70, 98, 105 c) 280, 330, 405, 490 


6. Find the greatest common divisor of each of the following sets of integers. 
a) 15, 35, 90 b) 300, 2160, 5040 —c) 1240, 6660, 15540, 19980 


The greatest common divisor of the n integers a), a2,..., a, can be expressed as a linear 
combination of these integers. To do this, first express (a), a2) as a linear combination of a, and 
ay. Then express (a), a, a3) = ((a), az), a3) as a linear combination of a,, a, and a3. Repeat this 
until (a), a2, ..., @,) is expressed as a linear combination of aj, a>, . . . , a,. Use this procedure 
in Exercises 7 and 8. 


7. Express the greatest common divisor of each set of numbers in Exercise 5 as a linear 
combination of the numbers in that set. 


8. Express the greatest common divisor of each set of numbers in Exercise 6 as a linear 
combination of the numbers in that set. 


The greatest common divisor of two positive integers can be found by an algorithm that uses 
only subtractions, parity checks, and shifts of binary expansions, without using any divisions. 
The algorithm proceeds recursively using the following reduction: 

a ifa=b; 

2(a/2,b/2) ifaand b are even; 

(a/2, b) if a is even and b is odd; 

(a—b,b)  ifaand bare odd, where a > b. 


(a, b)= 


(Note: Reverse the roles of a and b when necessary.) Exercises 9-13 refer to this algorithm. 
9. Find (2106, 8318) using this algorithm. 


10. Show that this algorithm always produces the greatest common divisor of a pair of positive 
integers. 

11. How many steps does this algorithm use to find (a, b) if a = (2” — (—1)")/3 and b= 
2(2”-1 — (—1)"—')/3, when n is a positive integer? 

12. Show that to find (a, b) this algorithm uses the subtraction step in the reduction no more than 
1 + [log, max(a, b)] times. 


13. Devise an algorithm for finding the greatest common divisor of two positive integers using 
their balanced ternary expansions. 
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In Exercise 26 of Section 1.5, a modified division algorithm is given, which states that if a and 
b > 0 are integers, then there exist unique integers g, r, and e such that a = bq + er, where 
e=+1,r>0, and —b/2 < er < b/2. We can set up an algorithm, analogous to the Euclidean 
algorithm, based on this modified division algorithm, called the least-remainder algorithm. It 
works as follows: Let 79 = a andr, = b, where a > b > 0. Using the modified division algorithm 
repeatedly, obtain the greatest common divisor of a and b as the last nonzero remainder r,, in the 
sequence of divisions 


ro=N1 t+ ero, — 17/2 < egrg <1)/2 
Tn-2 =Tn-19n-1 + Onl ns =Tpai/2 < Only S Ty-1/2 
™m-1="ndn- 


14. Use the least-remainder algorithm to find (384, 226). 


15. Show that the least-remainder algorithm always produces the greatest common divisor of two 
integers. 


16. Show that the least-remainder algorithm is always at least as fast as the Euclidean algorithm. 
(Hint: First show that if a and b are positive integers with 2b < a, then the least-remainder 
algorithm can find (a, b) with no more steps than it uses to find (a, a — b).) 


17. Find a sequence of integers vp, v;, U2, . . . , such that the least-remainder algorithm takes 
exactly n divisions to find (U,41, U,+42)- 


18. Show that the number of divisions needed to find the greatest common divisor of two positive 
integers using the least-remainder algorithm is less than 8/3 times the number of digits in the 
smaller of the two numbers, plus 4/3. 


19. Show that (a” — 1, a* — 1) =a” — 1 whenever a, m, and n are positive integers anda > 1. 


20. Show that if m and n are positive integers, then (fn, fn) = S(m,n): 


The next two exercises deal with the game of Euclid. Two players begin with a pair of positive 
integers and take turns making moves of the following type. A player can move from the pair of 
positive integers {x, y} with x > y, to any of the pairs {x — ty, y}, where t is a positive integer 
and x — ty > 0. A winning move consists of moving to a pair with one element equal to 0. 


21. Show that every sequence of moves starting with the pair {a, b} must eventually end with the 
pair {0, (a, b)}. 


22. Show that in a game beginning with the pair {a, b}, the first player may play a winning strategy 
if a = b or if a > b(1 + 5)/2; otherwise, the second player may play a winning strategy. 
(Hint: First show that if y < x < y(1+ V5) /2, then there is a unique move from {x, y} that 
goes to a pair {z, y} with y > z(1+ /5)/2.) 


23. Show that the number of bit operations needed to use the Euclidean algorithm to find the 
greatest common divisor of two positive integers a and b with a > b is O((log, a)*). (Hint: 
First show that the complexity of division of the positive integer g by the positive integer d 
is O(log d log q).) 


j 
quotients of the steps of the Euclidean algorithm as defined in this section. 


a) Find the value of )7_1 79). b) Find the value of )7"_, rq re 


24. Let a and b be positive integers and let r; and q;, j = 1,2, ...,n be the remainders and 
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25. Suppose that a and b are positive integers with a > b. Let q; and 7; be the quotients and 


3.5 


remainders in the steps of the Euclidean algorithm for i = 1, 2, ..., , where r,, is the last 


nonzero remainder. Let Q; = @ a) and Q = ee Q;. Show that =Q G ) 


Computations and Explorations 


1. 


Find (9876543210, 123456789), (11111111111, 1000000001) and (45666020043321, 
734335 10078091009). 


2. Find Bezout coefficients for each pair of integers in the previous exercise. 


3. Verify Lamé’s theorem for several different pairs of large positive integers of your choice. 


4. Compare the number of steps required to find the greatest common divisor of different pairs of 


large positive integers of your choice using the Euclidean algorithm, the algorithm described 
in the preamble to Exercise 9, and the least-remainder algorithm described in the preamble 
to Exercise 14. 


. Estimate the proportion of pairs of positive integers (a, b) that are relatively prime, where a 


and b are positive integers not exceeding 1000, not exceeding 10,000, not exceeding 100,000, 
and not exceeding 1,000,000. To do so, you may want to test a random selection of a small 
number of such pairs (see Section 10.1 for material on pseudorandom numbers). Can you 
make any conjectures from this evidence? 


Programming Projects 


1. Given two integers, use the Euclidean algorithm to find their greatest common divisor. 


NN oO & 


. Given two integers, find their greatest common divisor using the modified Euclidean algo- 


rithm given in the preamble to Exercise 14. 


. Given two positive integers, find their greatest common divisor using no divisions (see the 


preamble to Exercise 9). 


. Given a set of more than two integers, find their greatest common divisor. 
. Given a pair of positive integers, find Bezout coefficients for them. 
. Given a set of more than two integers, find Bezout coefficients for them. 


. Play the game of Euclid described in the preamble to Exercise 21. 


The Fundamental Theorem of Arithmetic 


The fundamental theorem of arithmetic is an important result that shows that the primes 
are the multiplicative building blocks of the integers. 


Theorem 3.15. The Fundamental Theorem of Arithmetic. Every positive integer 
greater than 1 can be written uniquely as a product of primes, with the prime factors in 
the product written in nondecreasing order. 
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Sometimes, the fundamental theorem of arithmetic is extended to apply to the 
integer 1. That is, 1 is considered to be written uniquely as the empty product of primes. 


Example 3.16. The factorizations of some positive integers are given by 


240 =2-2-2-2-3-5=24-3-5, 289=17-17=17, 1001=7-11-13. < 


Note that it is convenient to combine all the factors of a particular prime into a power 
of this prime, such as in the previous example: For the factorization of 240, all the factors 
of 2 were combined to form 2+. Factorizations of integers in which the factors of primes 
are combined to form powers are called prime-power factorizations. 


To prove the fundamental theorem of arithmetic, we need the following lemma 
concerning divisibility. This lemma turns out to be a crucial part of the proof. 


Lemma 3.4. Ifa, b, and c are positive integers such that (a, b) = 1 anda | bc, then 
a|c. 


Proof. Because (a, b) = 1, there are integers x and y such that ax + by = 1. Multiplying 
both sides of this equation by c, we have acx + bcy = c. By Theorem 1.9, a divides 
acx + bcy, because this is a linear combination of a and bc, both of which are divisible 
by a. Hence, a | c. rT 


The following consequence of this lemma will be needed in the proof of the funda- 
mental theorem of arithmetic. 


Lemma 3.5. _ If p divides a,a, - - - a,, where p is a prime and a), a9, .. . , d, are positive 
integers, then there is an integer i with 1 <i <7 such that p divides a;. 


Proof. We prove this result by induction. The case where 7 = 1 is wivial. Assume that 
the result is true for n. Consider a product of n + 1 integers aa) - - - a, 1 that is divisible 
by the prime p. We know that either (p, ajay ---a,) = 1 or (p, aja2---a,) = p. If 
(p, @az +++ a,) = 1, then by Lemma 3.4, p | a,,;. On the other hand, if p | aja, --- ay, 
using the induction hypothesis, there is an integer i with 1<i <n such that p | q;. 
Consequently, p | a; for some i with 1 <i <n + 1. This proves the result. 7 


We now begin the proof of the fundamental theorem of arithmetic. First, we will 
show that every positive integer greater than 1 can be written as the product of primes in 
at least one way. Then we will show that this product is unique up to the order of primes 
that appear. 


Proof. We use proof by contradiction. Assume that some positive integer cannot be 
written as the product of primes. Let n be the smallest such integer (such an integer must 
exist, from the well-ordering property). If is prime, itis obviously the product of a set of 
primes, namely the one prime. Son must be composite. Let = ab, with 1 < a <n and 
1 < b <n. But because a and b are smaller than 7, they must be the product of primes. 
Then, because n = ab, we conclude that 7 is also a product of primes. This contradiction 
shows that every positive integer can be written as the product of primes. 
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We now finish the proof of the fundamental theorem of arithmetic by showing that 
the factorization is unique. Suppose that there is an integer n that has two different 
factorizations into primes: 


N= P, Po2°** Ps=192°°° Os 


where pj, P2,..-, Ps, and qj, G2, ..., q; are all primes, with p; < po <--- < p, and 
1292 5°°*=%- 
Remove all common primes from the two factorizations to obtain 
Pi, Pin’ ** Pi, = VjyVjn °° Vy 
where the primes on the left-hand side of this equation differ from those on the right- 
hand side, u > 1, and v > 1 (because the two original factorizations were presumed to 
differ). However, this leads to a contradiction of Lemma 3.5; by this lemma, p; , must 


divide q;, for some k, which is impossible, because each qj, is prime and is different 
from p;,. Hence, the prime factorization of a positive integer n is unique. rT 


Where Unique Factorization Fails The fact that every positive integer has a unique 
factorization into primes is a special property of the set of integers that is shared by some, 
but not all, systems of numbers. In Chapter 13, we will study the diophantine equation 
x” + y” =z". In the nineteenth century, mathematicians thought they could prove that 
this equation has no solutions in nonzero integers when n is an integer with n > 3 (a 
result known as Fermat’s last theorem), using a form of unique factorization for certain 
types of algebraic numbers. It turned out that these numbers do not enjoy the property 
of unique factorization. The supposed proofs were incorrect, a problem that escaped the 
notice of many eminent mathematicians. 


Although we do not want to go too far afield (by introducing algebraic number 
theory, for instance), we can provide an example showing that unique factorization fails 
for certain types of numbers. Consider the set of numbers of the form a + b./—5, where 
a and b are integers. This set contains every integer (taking b = 0), as well as other 
numbers such as 3./—5, —1+ 4./—5, 7 — 5./—5, and so on. A number of this form is 
prime (in this context) if it cannot be written as the product of two other numbers of 
this form both different than +1. Note that 6 = 2-3 = (1+ /—5)(1 — /—5). Each of 
the numbers 2, 3, 1+ af 5: and 1—./—Sisa prime (see Exercises 19-22 at the end of 
this section to see how this can be established). It follows that the set of numbers of the 
form a + b./—5 does not enjoy the property of unique factorization into primes. On the 
other hand, numbers of the form a + b./—1, where a and b are integers, do have unique 
factorization, as we will show in Chapter 14. 


Using Prime Factorizations 


The prime-power factorization of a positive integer n encodes essential information about 
n. Given this factorization, we can immediately deduce whether a prime p divides n 
because p divides n if and only if it appears in this factorization. (We can obtain a 
contradiction of the uniqueness of the prime-power factorization of n if a prime q divided 
n, but did not appear in the prime-power factorization of n. The reader should fill in the 
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other parts of the proof.) For instance, because 168 = 23 . 3-7, each of the primes 2, 3, 
and 7 divides 120, but none of the primes 5, 11, and 13 do. Furthermore, the highest power 
of a prime p that divides n is the power of this prime in the prime-power factorization of 
n. For instance, each of 23, 3, and 7 divides 168, but none of 24, 32, and 72 do. Moreover, 
an integer d divides n if and only if all the primes in the prime-power factorization of d 
appear in the prime-power factorization of n to powers at least as large as they do in the 
prime-power factorization of d. (The reader should also verify that this follows from the 
fundamental theorem of arithmetic.) The following example illustrates how we can find 
all the positive divisors of a positive integer using this observation. 


Example 3.17. The positive divisors of 120 = 23 - 3 - 5 are those positive integers with 
prime-power factorizations containing only the primes 2, 3, and 5 to powers less than or 
equal to 3, 1, and 1, respectively. These divisors are 


1 3 5 3-5=15 

2 2-3=6 2-5=10 2-3-5=30 

?=4 2?.3=12 2?.5=20 2? .3-5=60 

3=8 23.3=24 23.5=40 23.3-5=120. < 


Another way in which we can use prime factorizations is to find greatest common 
divisors, as illustrated in the following example. 


Example 3.18. Tobe acommon divisor of 720 = 2* - 3? - 5 and 2100 = 27 -3-5*-7,a 
positive integer can contain only the primes 2, 3, and 5 in its prime-power factorization, 
and the power to which one of these primes appears cannot be larger than either of 
the powers of that prime in the factorizations of 720 and 2100. Consequently, to be a 
common divisor of 720 and 2100, a positive integer can contain only the primes 2, 3, 
and 5 to powers no larger than 2, 1, and 1, respectively. Therefore, the greatest common 
divisor of 720 and 2100 is 27 - 3-5 = 60. < 


To describe, in general, how prime factorizations can be used to find greatest 
common divisors, let min(a, b) denote the smaller, or minimum, of the two numbers 
a and b. Now, let the prime factorizations of a and b be 

a, a bi _b b 
a= p;'Py’ ++: pr, b=p,'p,’-:: Pp," 
where each exponent is a nonnegative integer, and where all primes occurring in the prime 
factorizations of a and of b are included in both products, perhaps with 0 exponents. We 
note that 


(a, b) = po epee ee min(4n,bn) | 


Pn 
because for each prime p;, a and b share exactly min(qa;, b;) factors of p;. 


Prime factorizations can also be used to find the smallest integer that is a multiple of 
each of two positive integers. The problem of finding this integer arises when fractions 
are added. 
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Definition. The /east common multiple of two nonzero integers a and b is the smallest 
positive integer that is divisible by a and b. 


The least common multiple of a and b is denoted by [a, b]. (Note: The notation 
Icm(a, b) is also commonly used to denote the least common multiple of a and b.) 


Example 3.19. We have the following least common multiples: [15, 21] = 105, 
[24, 36] = 72, [2, 20] = 20, and [7, 11] =77. < 


Once the prime factorizations of a and b are known, it is easy to find [a, b]. 
If a = p@ps?..- p% and b = po'p,? --- pk", wh the pri 

= P| Py *** Pn’ and b= p,'p,” +++ Pn’, where pj, Po, ..., Py are the primes 
occurring in the prime-power factorizations of a and b (where we might have a; = 0 
or b; = 0 for some 7), then for an integer to be divisible by both a and J, it is necessary 
that in the factorization of the integer, each p; occurs with a power at least as large as 


a; and b j- Hence, [a, b], the smallest positive integer divisible by both a and J, is 


max (a1,b;) max(a2,b2) 
1 Pz . ° 


a, 


max(a,,,D,) 
n 


[a,b]=p 
where max(x, y) denotes the larger, or maximum, of x and y. 


Finding the prime factorization of large integers is time-consuming. Therefore, we 
would prefer a method for finding the least common multiple of two integers without 
using the prime factorizations of these integers. We will show that we can find the least 
common multiple of two positive integers once we know the greatest common divisor 
of these integers. The latter can be found via the Euclidean algorithm. First, we prove 
the following lemma. 


Lemma 3.6. If x and y are real numbers, then max(x, y) + min(x, y)=x+ yy. 


Proof. fx > y,thenmin(x, y) = y andmax(x, y) =x,sothatmax(x, y)+ min(x, y) = 
x+y. If x < y, then min(x, y)= x and max(x, y) = y, and again we find that 
max(x, y) +min(x, y)=x+y. = 


We use the following theorem to find [a, b] once (a, b) is known. 


Theorem 3.16. If a and D are positive integers, then [a, b] = ab/(a, b), where [a, b] 
and (a, b) are the least common multiple and greatest common divisor of a and b, 
respectively. 


Proof. Let a and b have prime-power factorizations a = Py! Py +» py” and b= 


ot pe ee pe, where the exponents are nonnegative integers and all primes occurring in 


either factorization occur in both, perhaps with 0 exponents. Now let M; = max(a,, b;) 


and m; = min(a,, b;). Then we have 
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[a, b](a, b) = p}"'pn?--- pin pp? --- pt 
= prirmperm oa punt 
= parr pate... parthn 
= pip? - pm pr -+ + phn 
=ab, 
because M; + m, = max(a,, b;) + min(a,, b;) =a; + b; by Lemma 3.6. | 


The following consequence of the fundamental theorem of arithmetic will be needed 
later. 


Lemma 3.7. Let m and zn be relatively prime positive integers. Then, if d is a positive 
divisor of mn, there is a unique pair of positive divisors d, of m and d, of n such that 
d = did). Conversely, if d, and d, are positive divisors of m and n, respectively, then 
d = dd) is a positive divisor of mn. 


Proof. Let the prime-power factorizations of m and n be m = De P> 2... ps andn = 


q1'495° - + +g)". Because (m, n) = 1, the set of primes pj, p2, . . . p, and the set of primes 
41s 92> - - - +4; have no common elements. Therefore, the prime-power factorization of 
mn is 


— 1m my, 11 22 n 
mn = Py Py °°" P59, 90° Ut 


Hence, if d is a positive divisor of mn, then 


d =p 'p®... pisqiig? git, 
where 0 <e; <m; fori=1,2,...,s andO< fj <n; for j = 1, 2,..., t. Now, let 
d, = (d, m) and d, = (d, n), so that 
es fifo fi 


dj = pi'py ++: pfs and dy=qy'q)”--- qj". 


Clearly, d = d,d, and (d,, d,) = 1. This is the decomposition of d that we desire. 
Furthermore, this decomposition is unique. To see this, note that every prime power in 
the factorization of d must occur in either d, or d), that prime powers in the factorization 
of d that are powers of primes dividing m must appear in dj, and that prime powers in 
the factorization of d that are powers of primes dividing n must appear in d). It follows 
that d, must be (d, m) and d, must be (d, n). 


Conversely, let d, and d, be positive divisors of m and n, respectively. Then 


es 


dy = pi' py --* PSs 


where 0 < e; < m; fori = 1, 2,..., 5, and 
dy = qliq?? eee qi, 
where 0 < f; <n; for j =1,2,...,t. The integer 
d = dd, = pip; ee - pesqiigh? Oat git 


118 


Primes and Greatest Common Divisors 


is clearly a divisor of 


m m n n n 
mn = P i eee pq,'qn” eee q's 
because the power of each prime occurring in the prime-power factorization of d is less 
than or equal to the power of that prime in the prime-power factorization of mn. rT 


A Proof of a Special Case of Dirichlet’s Theorem Prime factorization can be used 
to prove special cases of Dirichlet’s theorem, which states that the arithmetic progression 
an + b contains infinitely many primes whenever a and b are relatively prime positive 
integers. We will illustrate this with a proof of Dirichlet’s theorem for the progression 
4n + 3. 


Theorem 3.17. There are infinitely many primes of the form 4n + 3, where n is a 
positive integer. 


Before we prove this result, we prove a useful lemma. 


Lemma 3.8. If a and 5 are integers, both of the form 47 + 1, then the product ab is 
also of this form. 


Proof. Because a and b are both of the form 4n + 1, there exist integers r and s such 
thata = 4r + land b = 4s + 1. Hence, 


ab = (4r + )(4s+ 1) =16rs + 4r +45 4+1=4(4rs+rt+s)4+1, 
which is again of the form 4n + 1. rT 
We now prove the desired result. 


Proof. Let us assume that there are only a finite number of primes of the form 4n + 3, 
Say, Po = 3, Pi, P2,---, P,. Let 


Q=4p, p2--- p, +3. 


Then there is at least one prime in the factorization of Q of the form 4n + 3. Otherwise, 
all of these primes would be of the form 4 + 1, and by Lemma 3.8, this would imply 
that Q would also be of this form, which is a contradiction. However, none of the 
primes po, Pj, .--, DP, divides Q. The prime 3 does not divide Q, for if 3| Q, then 
3 | (Q — 3) =4p 1p - -- p,, which is a contradiction. Likewise, none of the primes p; 
can divide Q, because p; | Q implies p; | (Q — 4p)p2--- p,) = 3, which is absurd. 
Hence, there are infinitely many primes of the form 4n + 3. rT] 


Results About Irrational Numbers We conclude this section by proving some results 
about irrational numbers. Before we turn our attention to irrational numbers, we briefly 
consider different representations of rational numbers as quotients of integers. Note that 
if a is arational number, then we may write a as the quotient of two integers in infinitely 
many ways, forifa@ = a/b, where a and b are integers with b 4 0, thena = ka/kb when- 
ever k is a nonzero integer. However, as can be seen by unique factorization, a positive 
rational number r may be written uniquely in lowest terms. This representation can be 
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obtained by canceling out common prime factors in the numerator and denominator in 
any quotient of two integers that equals 7. For example, the rational number 11/21 is in 
lowest terms. We also see that 


. ++ = —33/—63 = —22/—42 = -11/—21 = 11/21 = 22/42 = 33/63 =---. 


The next two results show that certain numbers are irrational. We start by giving another 
proof that /2 is irrational (we proved this originally in Section 1.1). 


Example 3.20. Suppose that /2 is rational. Then /2 = a/b, where a and b are 
relatively prime integers with b + 0. It follows that 2 = a?/b?, so that 2b” = a”. Because 
2| a”, it follows (see Exercise 40 at the end of this section) that 2 | a. Let a = 2c, so 
that b? = 2c”. Hence, 2 | b”, and by Exercise 40, 2 also divides b. However, because 
(a, b) = 1, we know that 2 cannot divide both a and b. This conwadiction shows that 2 
is irrational. < 


We can also use the following more general result to show that 2 is irrational. 


Theorem 3.18. Let a be areal number that is a root of the polynomial x” + c,_)x”~1+ 
-++-+ 1x + Co, where the coefficients co, c), .. . , C,_1 are integers. Then @ is either an 
integer or an irrational number. 


Proof. Suppose that @ is rational. Then we can write a = a/b, where a and b are 
relatively prime integers with b ¢ 0. Because a is aroot of x" + c,_yx" !+-+-+eyx + 
Co, we have 


(a/b)" + C,_\(a/b)""! + +--+ ,(a/b) + co = 0. 
Multiplying by b”, we find that 
a" +c,_,a" !b+---+ cab"! + cob" =0. 
Because 
a” = b(—c,_,a""!—---—c,ab"? — cob"), 


we see that b | a”. Assume that b 4 +1. Then b has a prime divisor p. Because p | b and 
b | a", we know that p | a”. Hence, by Exercise 41, we see that p | a. However, because 
(a, b) = 1, this is a contradiction, which shows that b = +1. Consequently, if a is rational 
then a = +a, so that a must be an integer. 2 


We illustrate the use of Theorem 3.18 with the following example. 
Example 3.21. Let a be a positive integer that is not the mth power of an integer, so 


that %/a is not an integer. Then %/a is irrational by Theorem 3.18, because 7/a is a root 
of x” — a. Consequently, such numbers as V2, 5, V17, etc., are irrational. < 


The fundamental theorem of arithmetic can be used to prove the following result, 
which relates the famous Riemann zeta function to the prime numbers. 
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Theorem 3.19. If s is areal number with s > 1, then 


m@=y4-7 i-4)° 
n=1 n Pp prime p* 


Not surprisingly, we will not prove Theorem 3.19 because its proof depends on results 
from analysis. We note here that the proof uses the fundamental theorem of arithmetic 
to show that the term 1/n‘, where 7 is a positive integer, appears exactly once when the 
terms of the product on the right-hand side are expanded. To see this, we use the fact that 


AY 
7 J ( 
Be Sa » Sep! 
I~ Py” geo \P 3 
So multiplying, ifn = pi pe see pk is the prime-power factorization of n, 


1 e) ( 1 ) 
ik ens auees (ay 7 Senay 
ns n Pi Py +++ Pr 


appears exactly once in the expansion of the product. The details of the proof can be 
found in [HaWr08]. 


EXERCISES 


. Find the prime factorizations of each of the following integers. 


a) 36 d) 289 g) 515 j) 8000 
b) 39 e) 222 h) 989 k) 9555 
c) 100 f) 256 i) 5040 1) 9999 


. Find the prime factorization of 111,111. 
. Find the prime factorization of 4,849,845. 


. Find all of the prime factors of each of the following integers. 


a) 100,000 b) 10,500,000 _c) 10! d) (a 


. Find all of the prime factors of each of the following integers. 


a) 196,608 b) 7,290,000 —_c) 20! d) (3) 


. Show that all of the powers in the prime-power factorization of an integer n are even if and 


only if 7 is a perfect square. 


. Which positive integers have exactly three positive divisors? Which have exactly four positive 


divisors? 


. Show that every positive integer can be written as the product of a square (possibly 1) and 


a square-free integer. A square-free integer is an integer that is not divisible by any perfect 
squares other than 1. 


. An integer n is called powerful if, whenever a prime p divides n, p? divides n. Show that 


every powerful number can be written as the product of a perfect square and a perfect cube. 


3.5 The Fundamental Theorem of Arithmetic 121 


10. Show that if a and b are positive integers and a? | b’, then a | b. 
11. Let p bea prime and 7a positive integer. If p* | n, but p**! J n, we say that p* exactly divides 
n, and we write p® || n. 
a) Show that if p* || m and p? || n, then p*+? || mn. 
b) Show that if p* || m, then p*¢ || m*. 
c) Show that if p* || m and p? || n witha #b, then p™™@-) || (m +n). 


12. Let n be a positive integer. Show that the power of the prime p occurring in the prime-power 
factorization of n! is 


[n/p]+ [n/p?]+ [n/p?]+---. 


13. Use Exercise 12 to find the prime-power factorization of 20!. 

14. How many zeros are there at the end of 1000! in decimal notation? How many in base 8 
notation? 

15. Find all positive integers n such that n! ends with exactly 74 zeros in decimal notation. 


16. Show that if n is a positive integer, it is impossible for 1! to end with exactly 153, 154, or 155 
zeros when it is written in decimal notation. 


Let a =a + b./—5, where a and b are integers. Define the norm of a, denoted by N(q), as 

N (a) =a* + 5b’. 

17. Show that if a =a +b./—5 and B =c + d/—5, where a, b,c, and d are integers, then 
N(@B) = N(@)N(B). 

18. A number of the form a + b./—5 is prime if it cannot be written as the product of numbers 
a and f, where neither a nor 6 equals +1. Show that the number 2 is a prime number of the 
form a + b./—5. (Hint: Start with N (2) = N(aB), and use Exercise 17.) 


19. Use an argument similar to that in Exercise 18 to show that 3 is a prime number of the form 
a+b/-S. 

20. Use arguments similar to that in Exercise 18 to show that both 1 + ./—5 are prime numbers 
of the form a + b./—5. 

21. Find two different factorizations of the number 19 into primes of the forma + b./—5, where 
a and b are integers. 


22. Show that the set of all numbers of the form a + b./—6, where a and b are integers, does not 
enjoy the property of unique factorization. 


The next four exercises present another example of a system where unique factorization into 
primes fails. Let H be the set of all positive integers of the form 4k + 1, where k is a nonnegative 
integer. 


23. Show that the product of two elements of H is also in H. 


- 24. Anelement h # 1inH is called a Hilbert prime (named after famous German mathematician 
David Hilbert) if the only way it can be written as the product of two integers in H is 
h=h-1=1-h. Find the 20 smallest Hilbert primes. 


25. Show that every element of H greater than 1 can be factored into Hilbert primes. 


26. Show that factorization of elements of H into Hilbert primes is not necessarily unique, by 
finding two different factorizations of 693 into Hilbert primes. 
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27. Which positive integers n are divisible by all integers not exceeding ./n? 

28. Find the least common multiple of each of the following pairs of integers. 
a) 8, 12 c) 28, 35 e) 256, 5040 
b) 14, 15 d) 111, 303 f) 343, 999 

29. Find the least common multiple of each of the following pairs of integers. 
a) 7, 11 c) 25, 30 e) 1331, 5005 
b) 12, 18 d) 101, 333 f) 5040, 7700 

30. Find the greatest common divisor and least common multiple of the following pairs of 
integers. 
a) 2. 3253, 223372 c) 2836541113 2.3.5.11-13 
b)2-3-5-7, 7-11-13 d) 411014743 1931001 44114347g3111 

31. Find the greatest common divisor and least common multiple of the following pairs of 
integers. 
a) 23957). 2357" c) 23571119, 2.3-5-7-11-13 
b)2:3-5-7-11-13, 17-19-23 +29 d) 471179111491 1001, 471193111 1911000 

* 32. Let n be a positive integer greater than 1. Show that 1+ 1 + i teeet 1 is not an integer. 

33. Periodical cicadas are insects with very long larval periods and brief adult lives. For each 
species of periodical cicada with a larval period of 17 years, there is a similar species with 
a larval period of 13 years. If both the 17-year and 13-year species emerged in a particular 
location in 1900, when will they next both emerge in that location? 

34. Which pairs of integers a and b have greatest common divisor 18 and least common multiple 
540? 

35. Show that if a and b are positive integers, then (a, b) | [a, b]. When does (a, b) = [a, b]? 

36. Show that if a and b are positive integers, then there are divisors c of a and d of b with 


(c, d) = land cd = [a, bl}. 


remembered for his famous list of 23 difficult problems. He described these problems at the 1900 In- 
ternational Congress of Mathematicians, as achallenge to mathematicians at the birth of the twentieth 
century. Since that time, they have spurred a tremendous amount and variety of research. Although 
many of these problems have now been solved, several remain open, including the Riemann hypoth- 
esis, which is part of Problem 8 on Hilbert’s list. Hilbert was also the author of several important 
textbooks in number theory and geometry. 


DAVID HILBERT (1862-1943), born in Kénigsberg, the city famous in math- 
ematics for its seven bridges, was the son of a judge. During his tenure at 
Gottingen University, from 1892 to 1930, Hilbert made many fundamental con- 
tributions to a wide range of mathematical subjects. He almost always worked on 
one area of mathematics at a ume, making important contributions, then mov- 
ing to a new mathematical subject. Some areas in which Hilbert worked are 
the calculus of variations, geometry, algebra, number theory, logic, and mathe- 
matical physics. Besides his many outstanding original contributions, Hilbert is 
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The least common multiple of the integers a, az, . . . , a, Which are not all zero, is the smallest 
positive integer that is divisible by all the integers a,, a2, ..., a,; itis denoted by [a), az, ... , ay]. 
37. a) Show that if a, b, and c are integers, then [a, b] | c if and only ifa|candb|c. 


38. 
39. 


40. 
41. 


42. 


43. 
44. 
45. 


46. 


47. 


48. 
49. 
50. 


51. 


52. 


53. 
54. 


b) Show that if a, a),...,a, and d are integers where n is a positive integer, then 
[a}, Q2,...,a,]|d if and only if a; |d fori=1,2,...,n. 

Use Lemma 3.4 to show that if p is a prime and a is an integer with p | a”, then p | a. 

Show that if p is a prime, a is an integer, and n is a positive integer such that p | a”, then 

pla. 

Show that if a, b, and c are integers with c | ab, then c | (a, c) (0, c). 

a) Show that if a and b are positive integers with (a, b) = 1, then (a”, b”) = 1 for all positive 
integers n. 

b) Use part (a) to prove that if a and b are integers such that a” | b", where n is a positive 
integer, then a | b. 

Show that «5 is irrational: 

a) by an argument similar to that given in Example 3.20; 

b) using Theorem 3.18. 


Show that /2 + /3 is irrational. 
Show that log, 3 is irrational. 


Show that log, b is irrational, where p is a prime and b is a positive integer that is not the 

second or higher power of p. 

a) Show that if a and b are positive integers, then (a, b) =(a + J, [a, b]). 

b) Use part (a) to find the two positive integers with sum 798 and least common multiple 
10,780. 

Show that ifa, b, andc are positive integers, then ([a, b], c) = [(a, c), (b, c)]and[(a, b), c]= 

(La, c], [b, c]). 


Find [6, 10, 15] and [7, 11, 13]. 
Show that [a,, a), ..-, A,—1, @] = [[ay, a2, .-- » An—1), An). 
Let n be a positive integer. How many pairs of positive integers satisfy [a, b] =n? (Hint: 


Consider the prime factorization of n.) 


a) Show that if a, b, and c are positive integers, then 


max(a, b,c) =a+b+c —min(a, b) — min(a, c) — min(b, c) + min(a, Db, c). 


b) Use part (a) to show that 


abc(a, b, c) 
[a, b, c] = ————_-. 
(a, b)(a, c)(b, c) 
Generalize Exercise 51 to find a formula relating (a, az, ..., dy) and [a), az, ..., a,], where 
a, Q2,..., @, are positive integers. 


Show that if a, b, and c are positive integers, then (a, b, c)[ab, ac, bc]= abc. 


Show that if a, b, and c are positive integers, then [a, b, c](ab, ac, bc) = abc. 
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55. 


56. 
57. 


58. 


59. 


60. 


61. 


62. 
63. 


64. 


65. 


66. 
67. 
68. 


69. 


70. 
71. 
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Show that if a, b, and c are positive integers, then ([a, b], [a, c], [b, c]) = [(a, b), (a, c), 
(b, c)]. 

Prove that there are infinitely many primes of the form 6k + 5, where k is a positive integer. 
Show that if a and b are positive integers, then the arithmetic progression a, a+ b,a+ 
2b, ..., contains an arbitrary number of consecutive composite terms. 

Find the prime factorizations of each of the following integers. 

a) 10°—1 2h 1 ) ee 

b) 108 — 1 d) 24-1 f) 276 — J 

A discount store sells a camera at a price less than its usual retail price of $99 but more than 


$1. If they sell $8137 worth of this camera and the discounted dollar price is an integer, how 
many cameras did they sell? 


A publishing company sells $375,961 worth of a particular book. How many copies of the 
book did they sell if their price is an exact dollar amount that is more than $1? 


If a store sells $139,499 worth of electronic organizers at a sale price that is an exact dollar 
amount less than $300 and more than $1, how many electronic organizers did they sell? 


Show that if a and b are positive integers, then a? | b? implies that a | b. 

Show that if a, b, and c are positive integers with (a, b) = 1 and ab = c”, then there are 
positive integers d and e such that a = d” and b =e”. 

Show that if a), az, ..., a, are pairwise relatively prime integers, then [a), a2,...,a,]= 
ajaq:::a,. 


Show that among any set of n + 1 positive integers not exceeding 27, there is an integer that 
divides a different integer in the set. 


Show that (m + n)!/m in! is an integer whenever m and n are positive integers. 
Find all solutions of the equation m” = n™, where m and n are integers. 


Let pj, P2, .--, Pn be the first n primes and let m be an integer with 1 < m <n. Let Q be the 
product of a set of m primes in the list and let R be the product of the remaining primes. Show 
that Q + R is not divisible by any primes in the list, and hence must have a prime factor not 
in the list. Conclude that there are infinitely many primes. 


This exercise presents another proof that there are infinitely many primes. Assume that there 
are exactly r primes pj, P2,..., py. Let Q, = (i Pj) /p, fork =1,2,...,7r. Let 
S= ee Q ;. Show that S must have a prime factor not among the r primes listed. Conclude 
that there are infinitely many primes. (This proof was published by G. Métrod in 1917.) 


Show that if p is prime and 1 < k < p, then the binomial coefficient (?) is divisible by p. 


Prove that in the prime factorization of n!, where 7 is an integer with n > 1, there is at least 
one prime factor with 1 as its exponent. (Hint: Use Bertrand’s postulate.) 


Exercises 72 and 73 outline two additional proofs that there are infinitely many primes. 


72. 


Suppose that p,,..., p; are the first j primes, in increasing order. Denote by N (x) the num- 
ber of integers n not exceeding the integer x that are not divisible by any prime exceeding pj. 


a) Show that every integer 7 not divisible by any prime exceeding p; can be written in the 
form n = rs, where s is square-free. 
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b) Show there are only 2/ possible values of s in part (a) by looking at the prime factorization 
of such an integer n, which is a product of terms De , Where 0 < k < j and e; is Oor 1. 


c) Show that ifn <x, then r < ./n < ./x, where r is in part (a). Conclude that there are no 
more than ./x different values possible for r. Conclude that N(x) < 2/./x. 


d) Show that if the number of primes is finite and p; is the largest prime, then N (x) = x for 
all integers x. 

e) Show from parts (c) and (d) that x < 2/./x, so that x < 27/ for all x, leading to a 
contradiction. Conclude that there must be infinitely many primes. 


73. This exercise develops a proof that there are infinitely many primes based on the fundamental 
theorem of arithmetic published by A. Auric in 1915. Assume that there are exactly r primes, 


P| < P2 <--+ < p,. Suppose that n is a positive integer and let Q = p’. 
a) Show that an integer m with 1 < m < Q can be written uniquely as m = Pi Py opts 
where e; > 0 for i = 1, 2,..., 7. Furthermore, show that for the integer m with this 


factorization, pj'<m < Q =p”. 

b) Let C = (log p,)/(log p;). Show that e; < nC fori =1,2,..., 7 and that Q does not 
exceed the number of r-tuples (e;, e2, ..., e,) of exponents in the prime-power factor- 
izations of integers m with 1 < m < Q. 


c) Conclude from part (b) that Q = p? < (Cn + 1)’ <n"(C +1). 
d) Show that the inequality in part (c) cannot hold for sufficiently large values of n. Conclude 
that there must be infinitely many primes. 


Suppose that 7 is a positive integer. We define the Smarandache function S(n) by specifying that 
S(n) is the least positive integer for which n divides S(n)!. For example, 5(8) = 4 because 8 does 
not divide 1!= 1, 2! = 2, and 3! = 6, but it does divide 4! = 24. 


74. Find S(n) for all positive integers n not exceeding 12. 

75. Find S(n) for n = 40, 41, and 43. 

76. Show that S(p) = p whenever p is prime. 

Let a(n) be the least inverse of the Smarandache function, that is, the least positive integer for m 


for which S(m) = n. In other words, a(n) is the position of the first occurrence of the integer n 
in the sequence S(1), S(2),..., S(k),.... 


77. Find a(n) for all positive integers n not exceeding 11. 
78. Find a(12). 
79. Show that a(p) = p whenever p is prime. 
Let rad(n) be the product of the primes that occur in the prime-power factorization of n. For 
example, rad(360) = rad(23 - 37-5) = 2-3-5=60. 
80. Find rad(n) for each of these values of n. 
a) 300 b) 44 c) 44,004 d) 128,128 
81. Show that rad(7) =n when n is a positive integer if and only if n is square-free. 
82. What is the value of rad(n!) when n is a positive integer? 


83. Show that rad(nm) < rad(n)rad(m) for all positive integers m and n. For which positive 
integers m and n does equality hold? 
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The next six exercises establish some estimates for the size of a(x), the number of primes 
less than or equal to x. These results were originally proved in the nineteenth century by 
Chebyshev. 


84. 


85. 


86. 


87. 


Let p be a prime and let n be a positive integer. Show that p divides ee exactly 


([2n/p] — 2[n/p]) + ([2n/p?] — 2[n/p?]) + - + - + ((2n/p'] — 2[n/p')) 


times, where ¢ = [log,, 2n]. Conclude that if p” divides (7"), then p” < 2n. 


te < (2n)7 2"), 
n 


Show that the product of all primes between n and 2n is between ‘ ) andn™2)—7@) | (Hint: 


Use Exercise 84 to show that 


Use the fact that every prime between n and 2n divides (2n)! but not (n!)?.) 
Use Exercises 85 and 86 to show that 


m(2n) — m(n) <n log 4/ logn. 


. Use Exercise 87 to show that 


m(2n) = (1 (2n) — m(n)) + (x(n) — w(n/2)) + (a (n/2) — 2(n/4)) 
+---<n log 64/ logn. 


. Use Exercises 85 and 88 to show that there are positive constants c, and c, such that 


c\x/ log x < m(x) < cox/ log x 


for all x > 2. (Compare this to the strong statement given in the prime number theorem, stated 
as Theorem 3.4 in Section 3.2.) 


Computations and Explorations 


1. 


Find the prime factorizations of 8,616,460,799; 1,234,567,890; 111,111,111,111; and 
43,854,532,213,873. 


. Compare the number of primes of the form 4n + 1 and the number of primes of the form 


4n + 3 for a range of values of n. Can you make any conjectures about the relationship 
between these numbers? 


. Find the smallest prime of the form an + b, given integers a and b, for a range of values of 


a and b. Can you make any conjectures about such primes? 


. Find the number of powerful numbers (defined in Exercise 9) less than 10” for integers 


m = 1,2, 3, 4, 5, 6. 


. Find as many pairs of consecutive positive integers that are both powerful (defined in Exercise 


9) as you can. 
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Programming Projects 


1. 


2 
3 
4 


Find all of the positive divisors of a positive integer from its prime factorization. 
Find the greatest common divisor of two positive integers from their prime factorizations. 
Find the least common multiple of two positive integers from their prime factorizations. 


Find the number of zeros at the end of the decimal expansion of n!, where n is a positive 
integer. 


Find the prime factorization of n!, where n is a positive integer. 


Find the number of powerful numbers (defined in Exercise 9) less than a positive integer n. 


Factorization Methods and the Fermat Numbers 


By the fundamental theorem of arithmetic, we know that every positive integer can 
be written uniquely as the product of primes. In this section, we discuss the problem 
of determining this factorization, and we introduce several simple factoring methods. 
Factoring integers is an extremely active area of mathematical research, especially 
because it is important in cryptography, as we will see in Chapter 8. In that chapter, 
we will learn that the security of the RSA public-key cryptosystem is based on the 
observation that factoring integers is much, much harder than finding large primes. 


Before we discuss the current status of factoring algorithms, we will consider the 
most direct way to factor integers, called trial division. We will explain why it is not 
very efficient. Recall from Theorem 3.2 that n either is prime or has a prime factor not 
exceeding ./n. Consequently, when we divide n successively by the primes 2, 3,5, ..., 
not exceeding ./n, either we find a prime factor p, of n or we conclude that n is prime. 
If we have located a prime factor p, of n, we next look for a prime factor of n; = n/p, 
beginning our search with the prime pj, as n, has no prime factor less than p,, and any 
factor of n, is also a factor of n. We continue, if necessary, determining whether any of the 
primes not exceeding ./n, divide n,. We continue in this manner, proceeding iteratively, 
to find the prime factorization of n. 


Example 3.22. Let n = 42,833. We note that n is not divisible by 2, 3, or 5, but that 
7\|n. We have 


42,833 =7- 6119. 


Trial divisions show that 6119 is not divisible by any of the primes 7, 11, 13, 17, 19, or 
23. However, we see that 


6119 = 29- 211. 


Because 29 > /211, we know that 2111s prime. We conclude that the prime factorization 
of 42,833 is 42,833 = 7- 29-211. < 
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Unfortunately, this method for finding the prime factorization of an integer is 
quite inefficient. To factor an integer N, it may be necessary to perform as many as 
n(/N) divisions (assuming that we already have a list of the primes not exceeding 
./N), altogether requiring on the order of /Nlog N bit operations because, from the 
prime number theorem, 7(./N) is approximately /N/log /N =2/N/log N, and 
from Theorem 2.7, these divisions take O (log? N) bit operations each. 


Modern Factorization Methods 


Mathematicians have long been fascinated with the problem of factoring integers. In 
the seventeenth century, Pierre de Fermat invented a factorization method based on the 
idea of representing a composite integer as the difference of two squares. This method 
is of theoretical and some practical importance, but is not very efficient in itself. We will 
discuss Fermat’s factorization method later in this section. 


Since 1970, many new factorization methods have been invented that make it pos- 
sible, using powerful modern computers, to factor integers that had previously seemed 
impervious. We will describe several of the simplest of these newer methods. However, 
the most powerful factorization methods currently known are extremely complicated. 
Their description is beyond the scope of this book, but we will discuss the size of the 
integers that they can factor. 


Among recent factorization methods (developed in the past 30 years) are several 
invented by J. M. Pollard, including the Pollard rho method (discussed in Section 4.6) 
andthe Pollard p — 1 method (discussed in Section 6.1). These two methods are generally 
too slow for difficult factoring problems, unless the numbers being factored have special 
properties. In Section 12.5, we will introduce another method for factoring that uses 
continued fractions. A variation of this method, introduced by Morrison and Brillhart, 
was the major method used to factor large integers during the 1970s. This algorithm 
was the first factoring algorithm to run in sebexponential time, which means that the 
number of bit operations required to factor an integer n could be written in the form 
n™) where a(n) decreases as n increases. A useful notation for describing the number 


Pasca), gave a mathematical basis to the concept of probability. Some of Fermat’s discoveries come to 
us only because he made notes in the margins of his copy of the work of Diophantus. His son found his 
copy with these notes, and published them so that other mathematicians would be aware of Fermat’s 
results and claims. 


PIERRE DE FERMAT (1601-1665) was a lawyer by profession. He was 
a noted jurist at the provincial parliament in the French city of Toulouse. 
Fermat was probably the most famous amateur mathematician in history. He 
published almost none of his mathematical discoveries, but did correspond with 
contemporary mathematicians about them. From his correspondents, especially 
the French monk Mersenne (discussed in Chapter 6), the world learned about his 
many contributions to mathematics. Fermat was one of the inventors of analytic 
geometry. Furthermore, he laid the foundations of calculus. Fermat, along with 


3.6 Factorization Methods and the Fermat Numbers 129 


of bit operations required to factor a number by an algorithm running in subexponential 
time is L(a, b), which implies that the number of bit operations used by the algorithm is 
O(exp(b(log n)@(log log n)!~2)). (The precise definition of L(a, b) is somewhat more 
complicated.) The variation of the continued fraction algorithm invented by Morrison and 
Brillhart uses L(1/2, ./3/2) bit operations. Its greatest success was the factorization of 
a 63-digit number in 1970. 


The quadratic sieve, described by Carl Pomerance in 1981, made it possible for 
the first time to factor numbers having more than one hundred digits not of a special 
form. This method, with many enhancements added after its original invention, uses 
L(1/2, 1) bit operations. Its great success was in factoring a 129-digit integer known 
as RSA-129, whose factorization was posed as a challenge by the inventors of the 
RSA cryptosystem discussed in Chapter 8. Currently, the best general-purpose factoring 
algorithm for integers with more than 115 digits is the number field sieve, originally 
suggested by Pollard and improved by Buhler, Lenstra, and Pomerance, which uses 
L(1/3, (64/9) 1/3) bit operations. Its greatest success has been the factorization of a 200- 
digit integer known as RSA-200 in 2005. For factoring numbers with fewer than 115 
digits, the quadratic sieve still seems to be quicker than the number field sieve. 


An important feature of the number field and quadratic sieves (as well as other meth- 
ods) is that these algorithms can be run in parallel on many computers (or processors) at 
the same time. This makes it possible for large teams of people to work on factoring the 
same integer. (See the historical note on factoring RSA-129 and other RSA challenge 
numbers, at the end of this subsection.) 


How big will the numbers be that can be factored in the future? The answer depends 
on whether (or, more likely, how soon) more efficient algorithms are invented, as well 
as how quickly computing power advances. A useful and commonly used measure 
for estimating the amount of computing required to factor integers of a certain size is 
millions of instructions per second—years, or MIPS—years. (One MIPS—year represents 
the computing power of the classical DEC VAX 11/780 during one year. It is still 
used as a reference point even though this computer is obsolete. Pentium PCs operate 
at hundreds of MIPS.) Table 3.2 (adapted from information in [Od95]) displays the 
computing power (in terms of MIPS—years, rounded to the nearest power of ten) required 
to factor integers of a given size using the number field sieve. Teams of people can 


Number of Decimal Digits | Approximate MIPS-Years Required 
150 104 
225 108 
300 101 
450 1016 
600 102° 


Table 3.2 Computing power required to factor integers using the 
number field sieve. 
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work together, dedicating thousands or even millions of MIPS—years to factor particular 
numbers. Consequently, even without the development of new algorithms, it might not 
be surprising to see the factorization, within the next few years, of integers (not of a 
special form) with 250, or perhaps 300, decimal digits. 


For further information on factoring algorithms, we refer the reader to [Br89], 
[Br00], [CrPo005], [Di84], [Gu75], [0d95], [Po84], [Po90], [Ri94], [Ru83], [WaSm87], 
and [Wi84]. 


Fermat Factorization We now describe a factorization technique that is interesting, 
although it is not always efficient. This technique, discovered by Fermat, is known as 
Fermat factorization, and is based on the following lemma. 


Lemma 3.9. If is an odd positive integer, then there is a one-to-one correspondence 
between factorizations of n into two positive integers and differences of two squares that 
equal n. 


Proof. Letn be an odd positive integer and let n = ab be a factorization of n into two 
positive integers. Then n can be written as the difference of two squares, because 


n=ab=s* —?’, 


where s = (a + b)/2 and t = (a — b)/2 are both integers because a and b are both odd. 


2 


Conversely, if n is the difference of two squares, say,n = s“ — t?, then we can factor 


n by noting that n = (s — t)(s +f). 


The RSA Factoring Challenge 

The RSA Factoring Challenge, which ran from 1991 to 2007, was a contest that challenged 
mathematicians to factor certain large integers. Its purpose was to track progress in factor- 
ization methods, which has important implications for cryptography (see Chapter 8). The 
first RSA challenge made in 1991, first posed in 1977 in Martin Gardner’s column in Sci- 
entific American, was to factor a 129-digit integer, known as RSA-129. A $100 prize was 
offered for the decryption of a message; the message could be decrypted easily when this 
129-digit number was factored, but not otherwise. Seventeen years passed before this chal- 
lenge was met in 1994. The factorization of RSA-129 using the quadratic sieve method took 
approximately 5000 MIPS-years, and was carried out in eight months by more than 600 
people working together. RSA Labs, a part of RSA Data Security (the company that holds 
the patents for the RSA cryptosystem discussed in Chapter 8), sponsored the challenge, and 
offered cash prizes for the factorization of integers on challenge lists. They awarded awarded 
more than $80,000 for successful factorizations. Factorizations of numbers on their list led 
to world records. For example, in 1996, a team led by Arjen Lenstra used the number field 
sieve to factor RSA-130. This took approximately 750 MIPS—years. In 1999, the number 
field sieve was used to factor RSA-140 and RSA-155, using 2000 and 8000 MIPS-—years, 
respectively. The largest number factored as part of this challenge was RSA-200, an integer 
with 200 decimal digits, which was factored in 2005 by a team led by Jens Franke at the 
University of Bonn. 
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We leave it to the reader to show that this is a one-to-one correspondence. 7 


To carry out the method of Fermat factorization, we look for solutions of the 
equation n = x” — y? by searching for perfect squares of the form x? — n. Hence, to 
find factorizations of n, we search for a square among the sequence of integers 


Panel? =n 42)" = tee: 


where t is the smallest integer greater than ,/n. This procedure is guaranteed to terminate, 
because the trivial factorization n = n - | leads to the equation 


(" + (? - ) 
n= - : 
2 2 
Example 3.23. We factor 6077 using the method of Fermat factorization. Because 
77 < 6077 < 78, we look for a perfect square in the sequence 


78° — 6077=7 

79° — 6077 = 164 

80* — 6077 = 323 

817 — 6077 = 484 = 227. 


Because 6077 = 817 — 222, we see that 6077 = (81 — 22)(81 + 22) = 59 - 103. < 


Unfortunately, Fermat factorization can be very inefficient. To factor n using this 
technique, it may be necessary to check as many as (n + 1)/2 — [./n] integers to 
determine whether they are perfect squares. Fermat factorization works best when it is 
used to factor integers having two factors of similar size. Although Fermat factorization 
is rarely used to factor large integers, its basic idea is the basis for many more powerful 
factorization algorithms used extensively in computer calculations. 


The Fermat Numbers 


The integers F,, = 2?" + 1 are called the Fermat numbers. Fermat conjectured that these 
integers are all primes. Indeed, the first few are primes, namely, Fo = 3, F, = 5, F, = 17, 
F3 = 257, and Fy = 65,537. Unfortunately, Fs; = 22 + 1is composite, as we will now 
demonstrate. 


Example 3.24. The Fermat number F; = 2° + 1 is divisible by 641. We can show 
that 641| F; without actually performing the division, using several not-so-obvious 
observations. Note that 


641=5-.2741=27 +457. 
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Hence, 
2° 41 = 2324 1= 24.278 41= (641 — 54)22 41 
— 641-28 — (5-27) +1= 641-278 — (641-1441 
= 641(278 — 6417 + 4- 6412 — 6 - 641+ 4). 
Therefore, we see that 641 | Fs. < 


The following result is a valuable aid in the factorization of Fermat numbers. 


Theorem 3.20. Every prime divisor of the Fermat number F,, = 2?" + 1is of the form 
art2k + 1. 


The proof of Theorem 3.20 is presented as an exercise in Chapter 11. Here, we 
indicate how Theorem 3.20 is useful in determining the factorization of Fermat numbers. 


Example 3.25. From Theorem 3.20, we know that every prime divisor of F3 = 22° + 
1 = 257 must be of the form 2°k + 1 =32-k + 1. Because there are no primes of this 
form less than or equal to 4/257, we can conclude that F3 = 257 is prime. < 


Example 3.26. When factoring Fe = 22° 4 1, we use Theorem 3.20 to see that all of 
its prime factors are of the form 28k + 1=256-k + 1. Hence, we need only perform 
trial divisions of F, by primes of the form 256-k + 1 that do not exceed JFo. After 
considerable computation, we find that a prime divisor is obtained with k = 1071, that 
is, 274,177 = (256 - 1071 + 1) | Fe. < 


Known Factorizations of Fermat Numbers A tremendous amount of effort has been 
devoted to the factorization of Fermat numbers. As yet, no new Fermat primes (beyond 
F4) have been found. Many mathematicians believe that no additional Fermat primes 
exist. We will develop a primality test for Fermat numbers in Chapter 11, which has 
been used to show that many Fermat numbers are composite. (When such a test is used, 
it is not necessary to use trial division to show that a number is not divisible by a prime 
not exceeding its square root.) 


As of early 2010, a total of 243 Fermat numbers are known to be composite, but 
the complete factorizations are known for only seven composite Fermat numbers: Fs, 
F¢, F7, Fg, Fo, Fio, and F,,;. The Fermat number Fo, a number with 155 decimal 
digits, was factored in 1990 by Mark Manasse and Arjen Lenstra, using the number field 
sieve, which breaks the problem of factoring an integer into a large number of smaller 
factoring problems that can be done in parallel. Though Manasse and Lenstra farmed out 
computations for the factorization of Fy to hundreds of mathematicians and computer 
scientists, it still took about two months to complete the computations. (For details of 
the factorization of Fy, see [Ci90].) 


The prime factorization of F,, was discovered by Richard Brent in 1989, using a 
factorization algorithm known as the elliptic curve method (described in detail in [Br89]). 
There are 617 decimal digits in F,;, and F); = 319,489 - 974,849 - P51 - Poo - P5654, where 
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P ,, P22, and Ps¢q are primes with 21, 22, and 564 digits, respectively. It took until 1995 
for Brent to completely factor F} 9. He discovered, using elliptic curve factorization, that 
Fi9 = 45,592,577 - 6,487,031,809 - P49 - P52, where Pg and P52 are primes with 40 
and 252 digits, respectively. 


Many Fermat numbers are known to be composite because at least one prime factor 
of these numbers has been found, using results such as Theorem 3.20. It is also known that 
F,, is composite for n = 14, 20, 22, and 24, but no factors of these numbers have yet been 
found. The largest n for which it is known that F,, is composite is n = 2,478,782. (F339 447 
was the first Fermat number with more than 100,000 digits shown to be composite; it 
was shown to be composite in July 1999.) F33 is the smallest Fermat number that has not 
yet been shown to be composite, if it is indeed composite. Because of steady advances 
in computer software and hardware, we can expect new results on the nature of Fermat 
numbers and their factorizations to be found at a healthy rate. 


The factorization of Fermat numbers is part of the Cunningham project, sponsored 
by the American Mathematical Society. Devoted to building tables of all the known 
factors of integers of the form b” + 1, where b = 2, 3, 5, 6, 7, 10, 11, and 12, the 
project’s name refers to A. J. Cunningham, a colonel in the British army, who compiled 
a table of factors of integers of this sort in the early years of the twentieth century. The 
factor tables as of 1988 are contained in [Br88]; the current state of affairs is available 
over the Internet. Numbers of the form b” + 1 are of special interest because of their 
importance in generating pseudorandom numbers (see Chapter 10), their importance in 
abstract algebra, and their significance in number theory. 


In conjunction with the Cunningham project, a list of the “ten most wanted” integers 
to be factored is kept by Samuel Wagstaff of Purdue University. For example, until it was 
factored in 1990, Fo was on this list. With advances in factoring techniques and computer 
power, increasingly larger numbers are included on the list. In the early 1980s, the largest 
had between 50 and 70 decimal digits; in the early 1990s, they had between 90 and 130 
decimal digits; in the early 2000s, they had between 150 and 200 decimal digits, as of 
early 2010, they had between 185 and 233 decimal digits. 


Using the Fermat Numbers to Prove the Infinitude of Primes It is possible to 
prove that there are infinitely many primes using Fermat numbers. We begin by showing 
that any two distinct Fermat numbers are relatively prime. The following lemma will be 
used. 


Lemma3.10. Let Fk, = 22 + 1denote the kth Fermat number, where k is anonnegative 
integer. Then for all positive integers n, we have 


FoF F, ee? F,-1 = F, = 2. 


Proof. We will prove the lemma using mathematical induction. For n = 1, the identity 
reads 


Fo = F, —2. 
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This is obviously true, because Fy = 3 and F; = 5. Now, let us assume that the identity 
holds for the positive integer n, so that 


FoF Fy +++ F,_1 = F, -2. 


With this assumption, we can easily show that the identity holds for the integer n + 1, 
because 


FoF Fy +++ Fy—1Fy = (FoF Fo - ++ Fr-v Fh 
= (F, —2)F, = (27 — (2? +0 


gntl 


= (2°)? -1=2?" -1=F,,,-2. 7 


This leads to the following theorem. 
Theorem 3.21. Let m andn be distinct nonnegative integers. Then the Fermat numbers 
F,, and F,, are relatively prime. 
Proof. Let us assume that m < n. By Lemma 3.10, we know that 
FoF | Fy--- Fy +++ Fj, = F, — 2. 
Assume that d is acommon divisor of F,, and F,,. Then, Theorem 1.8 tells us that 
d | (Fy — FoF {Fy +++ Fy +++ Fy_1) =2. 


Hence, either d = 1 or d = 2. However, because F,, and F,, are odd, d cannot be 2. 
Consequently, d = 1 and (F,,, F,,) = 1. rT] 


Using Fermat numbers, we now give another proof that there are infinitely many 
primes. First, we note that by Lemma 3.1 in Section 3.1, every Fermat number F,, has a 
prime divisor p,,. Because (F,,, F,,) = 1, we know that p,, 4 p, whenever m #4 n. Hence, 
we can conclude that there are infinitely many primes. 


The Fermat Primes and Geometry The Fermat primes are important in geometry. 
The proof of the following famous theorem of Gauss may be found in [Or88]. 


Theorem 3.22. A regular polygon of n sides can be constructed using a straightedge 


(unmarked ruler) and compass if and only if n is the product of a nonnegative power of 
2 and a nonnegative number of distinct Fermat primes. 


EXERCISES 


. Find the prime factorization of each of the following positive integers. 


a) 33,776,925 b) 210,733,237 c) 1,359,170,111 


2. Find the prime factorization of each of the following positive integers. 


a) 33,108,075 b) 7,300,977,607 C) 4,165,073,376,607 


. Using the Fermat factorization method, factor each of the following positive integers. 


a) 143 b) 2279 c) 43 d) 11,413 


3.6 Factorization Methods and the Fermat Numbers 135 


4. Using the Fermat factorization method, factor each of the following positive integers. 
a) 8051 c) 46,009 e) 3,200,399 
b) 73 d) 11,021 f) 24,681,023 


5. Show that the last two decimal digits of a perfect square must be one of the following pairs: 
00, e1, e4, 25, 06, e9, where e stands for any even digit and o stands for any odd digit. 
(Hint: Show that n”, (50 + n)?, and (50 — n)? all have the same final decimal digits, and then 
consider those integers n with 0 <n < 25.) 


6. Explain how the result of Exercise 5 can be used to speed up Fermat’s factorization method. 


7. Show that if the smallest prime factor of n is p, then x” — n will not be a perfect square for 
x > (n+ p”)/(2p), with the single exception x = (n + 1)/2. 


Exercises 8—10 involve the method of Draim factorization. To use this technique to search for a 
factor of the positive integer n = n,, we start by using the division algorithm, to obtain 


ny=3q,; +7, O<7r, <3. 
Setting m, = nj, we let 
mM,=m,—2q;, Ny=mM2+7}. 
We use the division algorithm again, to obtain 
Nyg=S5qgtr,, O5%m<S, 
and we let 
m3=m,—2q2, n3=mM3+71. 
We proceed recursively, using the division algorithm, to write 
nm=(2k+Datr, OK<m%<2k4+1, 
and we define 
my = My — 2qe_y, ME = MET MK-1- 
We stop when we obtain a remainder 7; = 0. 


8. Show that ny, = kn, — (2k + 1I)(qy +42 +--+ + 4x_1) and that m, =n, — 2+ (qi +92 + 
ooh gy 4). 
9. Show that if (2k + 1) | n, then(2k + 1) | nj and n = (2k + 1)my4}. 


10. Factor 5899 using Draim factorization. 


In Exercises 11-13, we develop a factorization technique known as Euler’s method. Itis applicable 
when the integer being factored is odd and can be written as the sum of two squares in two different 
ways. Let n be odd and let n = a” + b? = c* + d?, where a and c are odd positive integers and b 
and d are even positive integers. 


11. Let u = (a —c, b — d). Show that u is even, and that if r = (a — c)/u and s = (d — b)/u, 
then (7, s)=1, r(a+c)=s(d +b), ands |(a+c). 

12. Let su =a-+c. Show that rv =d+b, v=(a+c,d+b), and v is even. 

13. Conclude that n may be factored as n = [(u/2)? + (v/2)*\(r? +s”). 
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Use Euler’s method to factor each of the following integers. 
a) 221= 107 + 117=5* + 14? 

b) 2501 = 50* + 12 = 49? + 102 

c) 1,000,009 = 10007 + 3? = 972? + 2357 


Show that any number of the form 2*"*? + 1 can be factored easily by the use of the identity 
Ax* + 1 = (2x? + 2x + 1)(2x? — 2x + 1). Factor 2! + 1 using this identity. 

Show that if a is a positive integer and a” + 1 is an odd prime, then m = 2” for some 
nonnegative integer n. (Hint: Recall the identity a” + 1 = (a* + 1)(a*k@-) — gk@-4% 4... 
a* +1), where m = kl and 1 is odd.) 


Show that the last digit in the decimal expansion of F,, = 22" + lis 7 if n > 2. (Hint: Using 
mathematical induction, show that the last decimal digit of 2?" is 6.) 


Use the fact that every prime divisor of Fy, = Wis 65,537 is of the form 2 + 1= 
64k + 1 to verify that F, is prime. (You should need only one trial division.) 


Use the fact that every prime divisor of F; = 22° + 1 is of the form 27k + 1= 128k + 1 to 
demonstrate that the prime factorization of F; is F; = 641 - 6,700,417. 


Find all primes of the form 22" + 5, where n is a nonnegative integer. 
Estimate the number of decimal digits in the Fermat number F,,. 


What is the greatest common divisor of n and F,,, where n is a positive integer? Prove that 
your answer is correct. 


Show that the only integer of the form 2” + 1, where m is a positive integer, that is a power 
of a positive integer (i.e., is of the form n*, where n and k are positive integers with k > 2) 
occurs when m = 3. 


Factoring kn by the Fermat factorization method, where k is a small positive integer, is 
sometimes easier than factoring n by this method. Show that to factor 901 by the Fermat 
factorization method, it is easier to factor 3 - 901 = 2703 than to factor 901. 


Computations and Explorations 


1. 


2. 
3. 


Using trial division, find the prime factorization of several integers of your choice exceeding 
10,000. 


Factor several integers of your choice exceeding 10,000, using Fermat factorization. 


Factor the Fermat numbers F¢ and F7 using Theorem 3.20. 


Programming Projects 


>» WwW NY - 


. Given a positive integer n, find the prime factorization of n. 
. Given a positive integer n, perform the Fermat factorization method on n. 
. Given a positive integer n, perform Draim factorization on n (see the preamble to Exercise 8). 


. Check the Fermat number F,,, where n is a positive integer, for prime factors, using Theorem 


3.20. 
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3.7 Linear Diophantine Equations 


Consider the following problem: A man wishes to purchase $510 of travelers’ checks. 
The checks are available only in denominations of $20 and $50. How many of each 
denomination should he buy? If we let x denote the number of $20 checks and y the 
number of $50 checks that he should buy, then the equation 20x + 50y = 510 must be 
satisfied. To solve this problem, we need to find all solutions of this equation, where both 
x and y are nonnegative integers. 


A related problem arises when a woman wishes to mail a package. The postal clerk 
determines the cost of postage to be 83 cents, but only 6-cent and 15-cent stamps are 
available. Can some combination of these stamps be used to mail the package? To answer 
this, we first let x denote the number of 6-cent stamps and y the number of 15-cent stamps 
to be used. Then we must have 6x + 15y = 83, where both x and y are nonnegative 
integers. 


When we require that solutions of a particular equation come from the set of integers, 

we have a diophantine equation. These equations get their name from the ancient Greek 

C) mathematician Diophantus, who wrote on equations where solutions are restricted to 

rational numbers. The equation ax + by =c, where a, b, and c are integers, is called a 
linear diophantine equation in two variables. 


Note that the pair of integers (x, y) is a solution of the linear diophantine equation 
ax + by =c if and only if the (x, y) is a lattice point in the plane that lies on the 
line ax + by = c. We illustrate this in Figure 3.2 for the linear diophantine equation 
2x + 3y =5. 


The first person to describe a general solution of linear diophantine equations was the 

‘e Indian mathematician Brahmagupta, who included it in a book he wrote in the seventh 

century. We now develop the theory for solving such equations. The following theorem 

tells us when such an equation has solutions, and when there are solutions, explicitly 
describes them. 


Theorem 3.23. Leta and b be integers with d = (a, b). The equation ax + by =c has 
no integral solutions if d J c. If d | c, then there are infinitely many integral solutions. 


DIOPHANTUS (c. 250) wrote the Arithmetica, which is the earliest known book on 
algebra; it contains the first systematic use of mathematical notation to represent unknowns 
in equations and powers of these unknowns. Almost nothing is known about Diophantus, 
other than that he lived in Alexandria around 250 C.E. The only source of details about his 


life comes from an epigram found in a collection called the Greek Anthology: “Diophantus 
passed one sixth of his life in childhood, one twelfth in youth, and one seventh as a bachelor. 
Five years after his marriage was born a son who died four years before his father, at half 
his father’s age.” From this the reader can infer that Diophantus lived to the age of 84. 
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Figure 3.2 Solutions of 2x + 3y =5S in integers x and y correspond to the lattice points on the 
line 2x + 3y =S. 


Moreover, if x = Xo, y = yo iS a particular solution of the equation, then all solutions are 
given by 


X=Xqt (b/d)n, y=yo-—(a/d)n, 
where n is an integer. 


Proof. Assume that x and y are integers such that ax + by = c. Then, because d | a 
and d | b, by Theorem 1.9, d | c as well. Hence, if d ¥ c, there are no integral solutions 
of the equation. 


Now assume that d | c. By Theorem 3.8, there are integers s and t with 
(3.3) d=as + bt. 


Because d | c, there is an integer e with de = c. Multiplying both sides of (3.3) by e, we 
have 


c= de = (as + bt)e = a(se) + D(te). 


Hence, one solution of the equation is given by x = xp and y = yg, where xg = se and 
Yo = te. 
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To show that there are infinitely many solutions, let x = x9 + (b/d)n and y = 
Yo — (a/d)n, where n is an integer. We will first show that any pair (x, y), with x = 
Xo + (b/d)n, y = yo — (a/d)n, where n is an integer, is a solution; then we will show 
that every solution must have this form. We see that this pair (x, y) is a solution, because 


ax + by = axg + a(b/d)n + byg — b(a/d)n = ax + byg = c. 

We now show that every solution of the equation ax + by =c must be of the form 
described in the theorem. Suppose that x and y are integers with ax + by = c. Because 
axg + byg=c, 

by subtraction we find that 
(ax + by) — (axg + byo) = 0, 

which implies that 

a(x — xo) + b(y — yo) = 9. 
Hence, 

a(x — xo) = b(yo — y). 
Dividing both sides of this last equation by d, we see that 
(a/d)(x — x9) = (b/d)(y0 — y). 


By Theorem 3.6, we know that (a/d, b/d) = 1. Using Lemma 3.4, it follows that 
(a/d) | (yo — y). Hence, there is an integer n with (a/d)n = yo — y; this means that 
y = yo — (a/d)n. Now, putting this value of y into the equation a(x — x9) = b(yo — y), 
we find that a(x — x9) = b(a/d)n, which implies that x = xg + (b/d)n. = 


The following examples illustrate the use of Theorem 3.23. 


Example 3.27. By Theorem 3.23, there are no integral solutions of the diophantine 
equation 15x + 6y = 7, because (15, 6) = 3 but 3 J 7. < 


BRAHMAGUPTA (598-670), thought to have been born in Ujjain, India, became the 
head of the astronomical observatory there; this observatory was the center of Indian math- 
ematical studies at that time. Brahmagupta wrote two important books on mathematics 
and astronomy, Brahma-sphuta-siddhanta (“The Opening of the Universe”) and Khan- 
dakhadyaka, written in 628 and 665, respectively. He developed many interesting formulas 


and theorems in planar geometry, and studied arithmetic progressions and quadratic equa- 
tions. Brahmagupta developed new algebraic notation, and his understanding of the number 
system was advanced for his time. He is considered to be the first person to describe a gen- 
eral solution of linear diophantine equations. In astronomy, he studied eclipses, positions 
of the planets, and the length of the year. 
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Example3.28. By Theorem 3.23, there are infinitely many solutions of the diophantine 
equation 21x + 14y = 70, because (21, 14) = 7 and 7 | 70. To find these solutions, note 
that by the Euclidean algorithm, 1 - 21+ (—1) - 14 =7, so that 10 - 21+ (—10) - 14=70. 
Hence, xp = 10, yo = —10 is a particular solution. All solutions are given by x = 10 + 2n, 
y = —10 — 3n, where n is an integer. < 


We will now use Theorem 3.23 to solve the two problems described at the beginning 
of the section. 


Example 3.29. Consider the problem of forming 83 cents in postage using only 6- and 
15-cent stamps. If x denotes the number of 6-cent stamps and y denotes the number 
of 15-cent stamps, we have 6x + 15y = 83. Because (6, 15) = 3 does not divide 83, by 
Theorem 3.23 we know that there are no integral solutions. Hence, no combination of 
6- and 15-cent stamps gives the correct postage. < 


Example 3.30. Consider the problem of purchasing $510 of travelers’ checks, using 
only $20 and $50 checks. How many of each type of check should be used? 


Let x be the number of $20 checks and let y be the number of $50 checks. We have 
the equation 20x + SOy = 510. Note that the greatest common divisor of 20 and 50 is 
(20, 50) = 10. Because 10 | 510, there are infinitely many integral solutions of this linear 
diophantine equation. Using the Euclidean algorithm, we find that 20(—2) + 50 = 10. 
Multiplying both sides by 51, we obtain 20(—102) + 50(51) = 510. Hence, a particular 
solution is given by x9 = —102 and yp = 51. Theorem 3.23 tells us that all integral 
solutions are of the form x = —102 + 5n and y = 51 — 2n. Because we want both x and 
y to be nonnegative, we must have —102 + 5n > 0 and 51 — 2n => 0; thus, n > 20 2/5 
andn < 25 1/2. Because n is an integer, it follows thatn = 21, 22, 23, 24, or 25. Hence, 
we have the following five solutions: (x, y) = (3, 9), (8, 7), (13, 5), (18, 3), and (23, 1). 
So the teller can give the customer 3 $20 checks and 9 $50 checks, 8 $20 checks and 7 
$50 checks, 13 $20 checks and 5 $50 checks, 18 $20 checks and 3 $50 checks, or 23 
$20 checks and 1 $50 check. < 


We can extend Theorem 3.23 to cover linear diophantine equations with more than 
two variables, as the following theorem demonstrates. 


Theorem 3.24. Ifaj, a),..., a, are nonzero integers, then the equation a,x, + a2x2 + 
-++-+4@,X, =c has an integral solution if and only if d = (a), ay, ..., a,) divides c. 
Furthermore, when there is a solution, there are infinitely many solutions. 


Proof. (there are integers x,, x2, ..., x, such that a,x] + ajx2+---+ a,x, =c, then 
because d divides a; fori = 1,2, ... , n, by Theorem 1.9, d also divides c. Hence, ifd / c 
there are no integral solutions of the equation. 


We will use mathematical induction to prove that there are infinitely many integral 
solutions when d | c. Note that by Theorem 3.23 this is tue when n = 2. 


Now, suppose that there are infinitely many solutions for all equations in 7 vari- 
ables satisfying the hypotheses. By Theorem 3.9, the set of linear combinations a,x, + 
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Qn+1Xn+41 18 the same as the set of multiples of (a, a, 1). Hence, for every integer y 
there are infinitely many solutions of the linear diophantine equation a,X, + Gy41%,41= 
(Ay; 4,41). It follows that the original equation in n + 1 variables can be reduced to a 
linear diophantine equation in n variables: 


QyX1 + AgxX. +++ + Gy yXp_-1 + (An, Any DY =C. 


Note that c is divisible by (a1, a2, ..., An_1, (Gy, Gn41)) because, by Lemma 3.2, this 
greatest common divisor equals (1, a2, . .. , Ay, Qy41)- By the inductive hypothesis, this 
equation has infinitely many integer solutions, as it is a linear diophantine equation in n 
variables where the greatest common divisor of the coefficients divides the constant c. 
It follows that there are infinitely many solutions to the original equation. | 


A method for solving linear diophantine equations in more than two variables can 
be found using the reduction in the proof of Theorem 3.24. We leave an application of 
Theorem 3.24 to the exercises. 


EXERCISES 


. For each of the following linear diophantine equations, either find all solutions or show that 


there are no integral solutions. 
a) 2x + S5y=11 c) 21x + 14y = 147 e) 1402x + 1969y = 1 
b) 17x + 13y = 100 d) 60x + 18y = 97 


. For each of the following linear diophantine equations, either find all solutions or show that 


there are no integral solutions. 
a) 3x + 4y =7 c) 30x + 47y = —-11 e) 102x + 100ly = 1 
b) 12x + 18y = 50 d) 25x + 95y = 970 


. Japanese businessman returning home from a trip to North America exchanges his U.S. and 


Canadian dollars for yen. If he received 9,763 yen, and received 99 yen for each U.S. and 86 
yen for each Canadian dollar, how many of each type of currency did he exchange? 


. A student returning from Europe changes her euros and Swiss francs into U.S. money. If she 


received $46.58 and received $1.39 for each euro and 91¢ for each Swiss franc, how much 
of each type of currency did she exchange? 


. A professor retuming home from conferences in Paris and London changes his euros and 


pounds into U.S. money. If he received $125.78 and received $1.31 for each euro and $1.61 
for each pound, how much of each type of currency did he exchange? 


. The Indian astronomer and mathematician Mahavira, who lived in the ninth century, posed 


this puzzle: A band of 23 weary travelers entered a lush forest where they found 63 piles each 
containing the same number of plantains and a remaining pile containing seven plantains. 
They divided the plantains equally. How many plantains were in each of the 63 piles? Solve 
this puzzle. 


. A grocer orders apples and oranges at a total cost of $8.39. If apples cost him 25¢ each and 


oranges cost him 18¢ each, how many of each type of fruit did he order? 


. A shopper spends a total of $5.49 for oranges, which cost 18¢ each, and grapefruit, which 


cost 33¢ each. What is the minimum number of pieces of fruit the shopper could have bought? 
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9. A postal clerk has only 14- and 21-cent stamps to sell. What combinations of these may be 
used to mail a package requiring postage of exactly each of the following amounts? 


a) $3.50 b) $4.00 c) $7.77 
10. At aclambake, the total cost of a lobster dinner is $11, and that of a chicken dinner is $8. 
What can you conclude if the total bill is each of the following amounts? 
a) $777 b) $96 c) $69 
* 11. Find all integer solutions of each of the following linear diophantine equations. 
a) 2x + 3y+4z=5 c) 101x + 102y + 103z = 1 
b) 7x + 21ly + 35z=8 
* 12. Find all integer solutions of each of the following linear diophantine equations. 
a) 2x, + Sxq + 4x3 4+ 3x4 =5 c) 15x, + 6x2 + 10x3 4+ 21x, + 35x5 = 1 
b) 12x, + 21x + 9x3 + 15x4 = 9 
13. Which combinations of pennies, dimes, and quarters have a total value of 99¢? 


14. How many ways can change be made for one dollar, using each of the following coins? 
a) dimes and quarters c) pennies, nickels, dimes, and quarters 
b) nickels, dimes, and quarters 


In Exercises 15-17, we consider simultaneous linear diophantine equations. To solve these, first 
eliminate all but two variables and then solve the resulting equation in two variables. 


15. Find all integer solutions of the following systems of linear diophantine equations. 


a)x+ y+ z=100 c)x+ y+ z+ w=100 
x + 8y + 50z = 156 x+2y+3z+ 4w =300 
x+4y + 9z + 16w = 1000 
b)x+ y+ z=100 
x+6y + 21z= 121 


16. A piggy bank contains 24 coins, all of which are nickels, dimes, or quarters. If the total value 
of the coins is two dollars, what combinations of coins are possible? 


17. Nadir Airways offers three types of tickets on their Boston—New York flights. First-class 
tickets are $140, second-class tickets are $110, and standby tickets are $78. If 69 passengers 
pay a total of $6548 for their tickets on a particular flight, how many of each type of ticket 
were sold? 


18. Is it possible to have 50 coins, all of which are pennies, dimes, or quarters, with a total worth 
$3? 
Let a and b be relatively prime positive integers, and let n be a positive integer. A solution (x, y) 
of the linear diophantine equation ax + by = n is nonnegative when both x and y arenonnegative. 
* 19. Show that whenever n > (a — 1)(b — 1), there is a nonnegative solution of ax + by =n. 


* 20. Show that ifn = ab — a — b, then there are no nonnegative solutions of ax + by =n. 


21. 


23. 


24. 
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Show that there are exactly (a — 1)(b — 1)/2 nonnegative integers n < ab — a — b such that 
the equation has a nonnegative solution. 


. The post office in a small Maine town is left with stamps of only two values. They discover that 


there are exactly 33 postage amounts that cannot be made up using these stamps, including 
46¢. What are the values of the remaining stamps? 


A Chinese puzzle found in the sixth-century work of mathematician Chang Ch’iu-chien, 
called the “hundred fowls” problem, asks: If a cock is worth five coins, a hen three coins, and 
three chickens together are worth one coin, how many cocks, hens, and chickens, totaling 
100, can be bought for 100 coins? Solve this problem. 
Find all solutions where x and y are integers to the diophantine equation 

Ld 1 


x y 14 


Computations and Explorations 


1. 


Find all solutions of the linear diophantine equations 10234357x + 331108819y = 1 and 
10234357x + 331108819y = 123456789. 


. Find all solutions of the linear diophantine equations 1122334455x + 10101010101y + 


9898989898z = 1 and 1122334455x + 10101010101y + 9898989898z = 987654321. 


. Determine which positive integers are of the form 999x + 1001y, where x and y are nonneg- 


ative integers. Confirm that your results agree with the Exercises 19-21. 


Programming Projects 


1. Given the coefficients of a linear diophantine equation in two variables, find all its solutions. 


. Given the coefficients of a linear diophantine equation in two variables, find all its positive 


solutions. 


. Given the coefficients of a linear diophantine equation in three variables, find all its positive 


solutions. 


. Given the coefficients a and b, find all positive integers n for which the linear diophantine 


equation ax + by =n has no positive solutions (see the preamble to Exercise 19). 
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4 Congruences 


he language of congruences was invented by the great German mathematician 

Gauss. It allows us to work with divisibility relationships in much the same way 
as we work with equalities. We will develop the basic properties of congruences in this 
chapter, describe how to do arithmetic with congruences, and study congruences involv- 
ing unknowns, such as linear congruences. An example leading to a linear congruence is 
the problem of finding all integers x such that when 7x is divided by 11, the remainder 
is 3. We will also study systems of linear congruences that arise from such problems as 
the ancient Chinese puzzle that asks for a number that leaves a remainder of 2, 3, and 2, 
when divided by 3, 5, and 7, respectively. We will learn how to solve systems of linear 
congruences in one unknown, such as the system that results from this puzzle, using a 
famous method known as the Chinese remainder theorem. We will also learn how to 
solve polynomial congruences. Finally, we will introduce a factoring method, known as 
the Pollard rho method, which we use congruences to specify. 


Introduction to Congruences 


The special language of congruences that we introduce in this chapter, which is extremely 
useful in number theory, was developed at the beginning of the nineteenth century by 
Karl Friedrich Gauss, one of the most famous mathematicians in history. 


The language of congruences makes it possible to work with divisibility relation- 
ships much as we work with equalities. Prior to the introduction of congruences, the 
notation used for divisibility relationships was awkward and difficult to work with. The 
introduction of a convenient notation helped accelerate the development of number the- 


ory. 


Definition. Letm bea positive integer. If a and b are integers, we say that a is congruent 
to b modulo m if m | (a — b). 


If a is congruent to b modulo m, we write a = b (mod m). If m J (a — b), we write 
a #b (mod m), and say that a and b are incongruent modulo m. The integer m is called 
the modulus of the congruence. The plural of modulus is moduli. 


Example 4.1. We have 22 = 4 (mod 9), because 9 | (22 — 4) = 18. Likewise, 3 = —6 
(mod 9) and 200 =2(mod 9). On the other hand, 13 #5 (mod 9) _ because 
9} 03-5) =8. < 
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Congruences often arise in everyday life. For instance, clocks work either modulo 
12 or 24 for hours and modulo 60 for minutes and seconds; calendars work modulo 7 for 
days of the week and modulo 12 for months. Utility meters often operate modulo 1000, 
and odometers usually work modulo 100,000. 


In working with congruences, we will sometimes need to translate them into equal- 
ities. The following theorem helps us to do this. 


Theorem 4.1. If a and b are integers, then a = b (mod m) if and only if there is an 
integer k such that a = b + km. 


Proof. If a=b (mod m), then m | (a — b). This means that there is an integer k with 
km =a —b, sothata=b+km. 


Conversely, if there is an integer k with a= b +km, then km =a — b. Hence, 
m | (a — b), and consequently, a = b (mod m). | 


Example 4.2. We have 19 = —2 (mod 7) and 19 = —2 + 3-7. 4 
We now show that congruence satisfy a number of important properties. 


Theorem 4.2. Let m bea positive integer. Congruences modulo m satisfy the following 


properties: 
(i) Reflexive property. If a is an integer, then a =a (mod m). 


KARL FRIEDRICH GAUSS (1777-1855) was the son of a bricklayer. It was 
quickly apparent that he was a prodigy. In fact, at the age of 3, he corrected 
an error in his father’s payroll. In bis first arithmetic class, the teacher gave 
an assignment designed to keep the class busy, aamely, to find the sum of the 
first 100 positive integers. Gauss, who was 8 at the time, realized that this 
sum is 50 - 101 = S050, because the terms can be grouped as 1+ 100 = 101, 
2+99=101,...,49+52= 101, and50+ 51= 101. In 1796, Gauss made an 
. important discovery in an area of geometry that had not progressed since ancient 
times. In particular, he showed that a regular heptadecagon (17-sided polygon) could be drawn using 
just a ruler and acompass. In 1799, he presented the Girst rigorous proof of the fundamental theorem 
of algebra, which states that a polynomial of degree n with real coefficients has exactly n roots. Gauss 
made fundamental contributions to astronomy, including calculating the orbit of the asteroid Ceres. On 
the basis of this calculation, Gauss was appointed director of the Gottingen Observatory. He laid the 
foundations of modern number theory with his book Disquisitiones Arithmeticae in 1801. Gauss was 
called “Princeps Mathematicorum” (the Prince of Mathematicians) by his contemporaries. Although 
Gauss is noted for bis many discoveries in geometry, algebra, analysis, astronomy, and mathematical 
physics, he had a special interest in number theory. This can be seen from his statement: “Mathematics 
is the queen of sciences, and the theory of numbers is the queen of mathematics.” Gauss made most of 
his important discoveries early in his life, and spent his later years refining them. Gauss made several 
fundamental discoveries that he did not reveal. Mathematicians making the same discoveries were 
often surprised to find that Gauss had described the results years earlier in his unpublished notes. 
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(ii) Symmetric property. If a and b are integers such that a = b (mod m), then 
b=a (modm). 

(iii) Transitive property. If a, b, and c are integers with a = b (mod m) and b= 
c (mod m), then a = c (mod m). 


Proof. 


(i) We see that a =a (mod m), because m | (a — a) = 0. 


(ii) Ifa =b (mod m), then m | (a — b). Hence, there is an integer k such that km = 
a — b. This shows that (—k)m = b — a, so that m | (b — a). Consequently, 
b=a(modm). 

(iii) If a= b (mod m) and b =c (mod m), then m | (a — b) and m | (b — c). Hence, 
there are integers k and / such that km =a — b and lm = b — c. Therefore, 
a-—c=(a—b)+(b-—c)=km+I1m = (k+1)m. It follows that m | (a —c) 
and a =c (modm). = 


By Theorem 4.2, we see that the set of integers is divided into m different sets called 
congruence classes modulo m, each containing integers that are mutually congruent 
modulo m. Note that when m = 2, this gives us the two classes of even and odd integers. 


If you are familiar with the notion of relations on a set, Theorem 4.2 shows that 
congruence modulo m, where m is a positive integer, is an equivalence relation and the 
congruence classes modulo m are the equivalence classes of the equivalence relation 
defined by this relation. 


Example 4.3. The four congruence classes modulo 4 are given by 


...=-8=-4=0=4= 8=... (mod4) 
= -7=-32=1=5= 9=... (mod 4) 
2... =-6=-2=2=6=10=... (mod 4) 
= -S=-1=3=7=11=... (mod 4). < 


Suppose that m is a positive integer. Given an integer a, by the division algorithm 
we have a = bm + r, where 0 <r <m — 1. We call r the least nonnegative residue of a 
modulo m. We say that r is the result of reducing a modulo m. Similarly, when we know 
that a is not divisible by m, we call r the least positive residue of a modulo m. 


Another commonly used notation, especially in computer science, is a mod m = r, 
which denotes that r is the remainder obtained when a is divided by m. For example, 17 
mod 5 = 2 and —8 mod 7 = 6. Note that mod m is a function from the set of integers to 
the set of {0, 1, 2,...,m— 1}. 


The relationship between these two different notations is clarified by the next 
theorem, whose proof is left to the reader as Exercises 10 and 11 at the end of this 
section. 


Theorem 4.3. Ifa and b are integers and m is a positive integer, then a = b (mod m) 
if and only if a mod m = b mod m. 
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Now note that from the equation a = bm + r, it follows that a =r (mod m). Hence, 
every integer is congruent modulo m to one of the integers 0, 1, ... , m — 1, namely, the 
remainder when it is divided by m. Because no two of the integers 0, 1,..., m — lare 
congruent modulo m, we have m integers such that every integer is congruent to exactly 
one of these m integers. 


Definition. A complete system of residues modulo m is a set of integers such that every 
integer is congruent modulo m to exactly one integer of the set. 


Example 4.4. The division algorithm shows that the set of integers 0, 1,2,...,m—1 
is a complete system of residues modulo m. This is called the set of least nonnegative 
residues modulo m. < 


Example 4.5. Let m be an odd positive integer. Then the set of integers 


—- a te) aye 3 a 1, 0, 1, = oe -_ tone 
the set of absolute least residues modulo m, is a complete system of residues. < 


We will often do arithmetic with congruences, which is called modular arithmetic. 
Congruences have many of the same properties that equalities do. First, we show that 
an addition, subtraction, or multiplication to both sides of a congruence preserves the 
congruence. 


Theorem 4.4. Ifa, b,c, and m are integers, with m > 0, such that a = b (mod m), then 


(i) at+tc=b+c(modm), 
(ii) a—c=b-—c(modm), 


(iii) ac = bc (mod m). 


Proof. Because a = b (mod m), we know that m | (a — b). From the identity (a + c) — 
(b +c) =a —b, we see that m | ((a +c) — (b+ )), so that (i) follows. Likewise, (ii) 
follows from the fact that (a — c) — (b —c) =a — b. To show that (iii) holds, note 
that ac — bc = c(a — b). Because m | (a — b), it follows that m | c(a — b), and hence, 
ac = bc (mod m). rT 


Example 4.6. Because 19 = 3 (mod 8), it follows from Theorem 4.4 that 26 = 19 + 
7=3+7= 10 (mod 8), 15= 19 —-4=3 —4=~—1 (mod 8), and 38 = 19-2=3-2= 
6 (mod 8). < 


What happens when both sides of a congruence are divided by an integer? Consider 
the following example. 


Example 4.7. We have 14=7-2=4-2=8 (mod 6). But we cannot cancel the com- 
mon factor of 2, because 7 # 4 (mod 6). < 
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This example shows that it is not necessarily tue that we preserve a congruence 
when we divide both sides by the same integer. However, the following theorem gives a 
valid congruence when both sides of a congruence are divided by the same integer. 


Theorem 4.5. Ifa, b, c, and m are integers such that m > 0, d = (c, m), and ac = 
bc (mod m), then a = b (mod m/d). 


Proof. If ac = bc (mod m), we know that m | (ac — bc) = c(a — b). Hence, there is 
an integer k with c(a — b) = km. By dividing both sides by d, we have (c/d)(a — b) = 
k(m/d). Because (m/d, c/d) = 1, by Lemma 3.4 it follows that m/d | (a — b). Hence, 
a=b(modm/d). | 


Example 4.8. Because 50 = 20 (mod 15) and (10, 15) = 5, we see that 50/10 = 
20/10 (mod 15/5), or 5 = 2 (mod 3). < 


The following corollary, which is a special case of Theorem 4.5, is used often; it 
allows us to cancel numbers that are relatively prime to the modulus m in congruences 
modulo m. 


Corollary 4.5.1. If a, b, c, and m are integers such that m > 0, (c, m) = 1, and 
ac = bc (mod m), then a = b (mod m). 


Example 4.9. Because 42 = 7 (mod 5) and (5, 7) = 1, we can conclude that 42/7 = 
7/7 (mod 5), or that 6 = 1 (mod 5). < 


The following theorem, which is more general than Theorem 4.4, is also useful. Its 
proof is similar to the proof of Theorem 4.4. 


Theorem 4.6. Ifa, b, c, d, and m are integers such that m > 0, a= b (mod m), and 
c =d (mod m), then 


(i) a+tc=b+d(modm), 
(ii) a—c=b-—d(modm), 
(iii) ac = bd (mod m). 


Proof. Because a = b (mod m) and c=d (mod m), we know that m | (a — b) and 
m | (c — d). Hence, there are integers k and 1 with km =a — b andlm =c —d. 


To prove (i), note that (a+c) —(b+d)=(a—b)+(c—d)=km+lIm 
(k +1)m. Hence, m | [(a +c) — (b+ d)]. Therefore, a ++ c=b+d (mod m). 

To prove (ii), note that (a —c) — (b-—d) =(a—b) —(c—d)=km-—I|m 
(k —1)m. Hence, m|[(a — c) — (b — d)], so thata —-c = b —d (modm). 


To prove (iii), note that ac — bd =ac — bc + bc — bd = c(a — b) + b(c — d) 
ckm + blm = m(ck + bl). Hence, m | (ac — bd). Therefore, ac = bd (mod m). | 
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Example 4.10. Because 13 = 3 (mod 5) and 7 = 2 (mod 5), using Theorem 4.6 we 
see that 20 = 13+ 7=3+2=5 (mod 5), 6=13—7=3-—2=1(mod 5), and 91= 
13-7=3-2=6 (mod 5). < 


The following lemma helps us to determine whether a set of m numbers forms a 
complete set of residues modulo m. 


Lemma4.1. A set of mincongruentintegers modulo m forms acomplete set of residues 
modulo m. 


Proof. Suppose that a set of m incongruent integers modulo m does not form a complete 
set of residues modulo m. This implies that at least one integer a is not congruent to any 
of the integers in the set. Hence, there is no integer in the set congruent modulo m to 
the remainder of a when it is divided by m. Hence, there can be at most m — 1 different 
remainders of the integers when they are divided by m. It follows (by the pigeonhole 
principle, which says that if more than n objects are distributed into n boxes, at least two 
objects are in the same box) that at least two integers in the set have the same remainder 
modulo m. This is impossible, because these integers are incongruent modulo m. Hence, 
any m incongruent integers modulo m form a complete system of residues modulo m. 

a 


Theorem 4.7. If7,, 72, ... , 18 a complete system of residues modulo m, and if a 
is a positive integer with (a, m) = 1, then 

ar, +b, arg +b,..., ar, +b 
is a complete system of residues modulo m for any integer b. 
Proof. First, we show that no two of the integers 

ar, +b, arg +b,..., a, +b 
are congruent modulo m. To see this, note that if 

ar; + b =ar, + b (mod m), 
then, by (ii) of Theorem 4.4, we know that 
ar; = ar, (mod m). 
Because (a, m) = 1, Corollary 4.5.1 shows that 
rj =r, (mod m). 

Given that r; #7, (mod m) if j #k, we conclude that j = k. 


By Lemma 4.1, because the set of integers in question consists of m incongruent 
integers modulo m, these integers form a complete system of residues modulo m. 7 


The following theorem shows that a congruence is preserved when both sides are 
raised to the same positive integral power. 
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Theorem 4.8. Ifa, b,k, and m are integers such that k > 0, m > 0, anda = b (mod m), 
then a* = b* (mod m). 


Proof. Because a = b (mod m), we have m | (a — b), and because 
ak = b* =(a— b)(a‘-! + qak-2p pat + abk-2 + b*}), 
we see that (a — b) | (a* — b*). Therefore, by Theorem 1.8 it follows that m | (a* — b*). 


Hence, a* = b‘ (mod m). = 


Example 4.11. Because 7 = 2 (mod 5), Theorem 4.8 tells us that 343 = 7? = 23 = 
8 (mod 5). < 


The following result shows how to combine congruences of two numbers to different 
moduli. 


Theorem 4.9. Ifa=b (mod m,),a=b (mod my)), .. . ,a=b (mod m,), where a, b, 
M,M2,..., Mm, are integers with mj, m2, . . . , mz positive, then 

a =b (mod [m, m2, ..., m)), 
where [m,, m2, ..., m;] denotes the least common multiple of m,, m2, ..., mx. 
Proof. The hypothesis a = b (mod m,),a =b (mod m3), ..., a =b (mod m,), means 
that m, | (a — b), m2 | (a —b),..., m, | (a — b). By Exercise 39 of Section 3.5, we see 
that 

[m, M4, --+;5 my] | (a — b). 

Consequently, 

a =b (mod [m, my, ..., m,)). = 


The following result is an immediate and useful consequence of this theorem. 


Corollary 4.9.1. Ifa =b (modm)),a=b (modmy), ...,a=b (mod m,), where a 
and b are integers and m,, m2, ..., m, are pairwise relatively prime positive integers, 
then 


a =b (mod mm ---m,). 


Proof. Because m1, m2, ..., m, are pairwise relatively prime, Exercise 64 of Section 
3.5 tells us that 


[m1,M,...,M,]=mymy--- my. 
Hence, by Theorem 4.9, we know that 


a =b (mod mym ---m,). = 


Fast Modular Exponentiation 


In our subsequent studies, we will be working with congruences involving large powers 
of integers. For example, we will want to find the least positive residue of 24 modulo 
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645. If we attempt to find this least positive residue by first computing 2°“, we would 
have an integer with 194 decimal digits, a most undesirable thought. Instead, to find 2“ 
modulo 645 we first express the exponent 644 in binary notation: 


(644) 19 = (1010000100)>. 


Next, we compute the least positive residues of 2, 22, jae 28 eS 512 by successively 
squaring and reducing modulo 645. This gives us the congruences 


2 = 2 (mod 645) 
2 = 4 (mod 645) 
2* = 16 (mod 645) 
28 == 256 (mod 645) 
216 = 391 (mod 645) 
232 = 16 (mod 645) 
24 = 256 (mod 645) 
2128 = 391 (mod 645) 
2256 = 16 (mod 645) 
2512 = 256 (mod 645). 


We can now compute 24 modulo 645 by multiplying the least positive residues of the 


appropriate powers of 2. This gives 


2844 — 9512412844 _ 9512912894 — 956 . 391 - 16 = 1,601,536 = 1 (mod 645). 


We have just illustrated a general procedure for modular exponentiation, that is, for 
computing b™ modulo m, where b, m, and N are positive integers. We first express the 
exponent N in binary notation, as N = (a,a;_1 . . . ag). We then find the least positive 
residues of b, b*, b+, . . . , b2* modulo m, by successively squaring and reducing modulo 
m. Finally, we multiply the least positive residues modulo m of b”’ for those j witha j=l 
reducing modulo m after each multiplication. 


In our subsequent discussions, we will need an estimate for the number of bit opera- 
tions needed for modular exponentiation. This is provided by the following proposition. 


Theorem 4.10. Let b, m, and N be positive integers such that b < m. Then the 
least positive residue of bY modulo m can be computed using O((log, m)* log, N) bit 
operations. 


Proof. To find the least positive residue of bY modulo m, we can use the algorithm 
just described. First, we find the least positive residues of b, b2,b4,..., pb?" modulo m, 
where 2* < N < 2‘+1 by successively squaring and reducing modulo m. This requires a 
total of O((log, m)* log, N) bit operations, because we perform k = [log, N] squarings 
modulo m, each requiring O((log, m)?) bit operations. Next, we multiply together the 
least positive residues of the integers b”’ corresponding to the binary digits of N that 
are equal to 1, and we reduce modulo m after each multiplication. This also requires 
O((log, m)* log, N) bit operations, because there are at most log, N multiplications, 
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each requiring O((log, m)7) bit operations. Therefore, a total of O((log, m)? log, N) 
bit operations is needed. rT 


EXERCISES 


. Show that each of the following congruences holds. 


a) 13= 1 (mod 2) d) 69 = 62 (mod 7) g) 111= —9 (mod 40) 
b) 22 = 7 (mod 5) e) —2 = 1 (mod 3) h) 666 = 0 (mod 37) 
c) 91= 0 (mod 13) f) —3 = 30 (mod 11) 


. For each of these pairs of integers, determine whether they are congruent modulo 7. 


a) 1,15 c) 2,99 e) —9,5 
b) 0, 42 d) —1,8 f) —1, 699 


. For which positive integers m is each of the following statements true? 


a) 27 =5 (mod m) b) 1000 = 1 (mod m) c) 1331 = 0 (mod m) 


. Show that if a is an even integer, then a* =0 (mod 4), and if a is an odd integer, then 


a* = 1(mod 4). 


5. Show that if a is an odd integer, then a? = 1 (mod 8). 


6. Find the least nonnegative residue modulo 13 of each of the following integers. 


. Show that if a;= b; (mod m) for j = 1, 2,...,, where m is a positive integer and a 


a) 22 c) 1001 e) —100 
b) 100 d) -1 f) —1000 
. Find the least nonnegative residue modulo 28 of each of the following integers. 
a) 99 c) 12,345 e) —1000 
b) 1100 d) -1 f) —54,321 
. Find the least positive residue of 1!+ 2!+ 3!+----+ 10! modulo each of the following 
integers. 
a) 3 b) 11 c)4 d) 23 
. Find the least positive residue of 1!+ 2!+ 3!+---+ 100! modulo each of the following 
integers. 
a) 2 b)7 c) 12 d) 25 


. Show that if a, b, and m are integers with m > 0 and a=b (mod m), then a mod m = b 


mod m. 


. Show that if a, b, and m are integers with m > 0 and a mod m = b mod m, then a=b 


(mod m). 


. Show that if a, b, m, and n are integers such that m > 0,n > 0,n|m, anda =b (modm), 


then a = b (mod n). 


. Show that if a, b, c, and m are integers such that c > 0, m > 0, and a = b (mod m), then 


ac = be (mod mc). 


. Show that if a, b, and c are integers with c > O such that a = b(mod c), then (a, c) = (b, c). 


yp bj, 


j=1,2,...,n, are integers, then 
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n n n n 
a) )°aj;=) bj; (modm). b) [ [ a; =| [ 4; (mod m). 
j=l jaa j=! j=l 
16. Find a counterexample to the statement that if m is an integer with m > 2, then (a + b) mod 


m =a mod m + b mod m for all integers a and b. 


17. Find a counterexample to the statement that if m is an integer with m > 2, then (ab) mod 
m = (a mod m)(b mod m) for all integers a and b. 


18. Show that if m is a positive integer with m > 2, then (a + b) mod m = (a mod m + b mod 
m) mod m for all integers a and b. 


19. Show that if m is a positive integer with m > 2, then (ab) mod m = ((a mod m)(b mod m)) 
mod m for all integers a and b. 

In Exercises 20—22, construct tables for arithmetic modulo 6 using the least nonnegative residues 

modulo 6 to represent the congruence classes. 

20. Construct a table for addition modulo 6. 

21. Construct a table for subtraction modulo 6. 

22. Construct a table for multiplication modulo 6. 


23. What time does a 12-hour clock read 
a) 29 hours after it reads 11 0’clock? c) 50 hours before it reads 6 o’clock? 
b) 100 hours after it reads 2 o’clock? 


24. Which decimal digits occur as the final digit of a fourth power of an integer? 
25. What can you conclude if a? = b* (mod p), where a and b are integers and p is prime? 


26. Show that if a* = b* (mod m) and a**+! = b*+! (mod m), where a, b, k, and m are integers 
with k > 0 and m > O such that (a, m) = 1, then a = b (mod m). If the condition (a, m) = 1 
is dropped, is the conclusion that a = b (mod m) still valid? 


27. Show that if 1 is an odd positive integer, then 
14+2+3+---+(@-—1)=0(modn). 
Is this statement true if n is even? 
28. Show that if 7 is an odd positive integer or if n is a positive integer divisible by 4, then 
P+274+33+---+(a— 1)? =0 (mod n). 
Is this statement true if n is even but not divisible by 4? 


29. For which positive integers n is it true that 


124+27437+.---+(n—1)* =0(modn)? 


30. Show by mathematical induction that if is a positive integer, then 4” = 1+ 3n (mod 9). 
31. Show by mathematical induction that if n is a positive integer, then 5” = 1+ 4n (mod 16). 
32. Give a complete system of residues modulo 13 consisting entirely of odd integers. 


33. Show that if n = 3 (mod 4), then 7 cannot be the sum of the squares of two integers. 


34. 


35. 


36. 


37. 


38. 


39. 
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Show that if p is prime, then the only solutions of the congruence x” = x (mod p) are those 
integers x such that x = 0 or 1 (mod p). 


Show that if p is prime and k is a positive integer, then the only solutions of x? = x (mod p*) 
are those integers x such that x = 0 or 1 (mod p*). 


Find the least positive residues modulo 47 of each of the following integers. 
a) 932 b) 947 c) 9200 
Let m,, m2, . . . , mz be pairwise relatively prime positive integers. Let M = mm ---m, 
and M; = M/m;, for j = 1, 2,..., k. Show that 

Ma, + Mpa, fteeet M,aq 
runs through a complete system of residues modulo M when qa), a), .. . , a, run through 
complete systems of residues modulo m,, m., . . . , mz, respectively. 


Explain how to find the sum u + v from the least positive residue of u + v modulo m, where 
u and v are positive integers less than m. (Hint: Assume that u < v, and consider separately 
the cases where the least positive residue of u + v is less than u, and where it is greater than 


v.) 


On a computer with word size w, multiplication modulo n where n < w/2 can be performed 
as outlined. Let T = [./n + 1/2], and t = T 2 _ n. For each computation, show that all the 
required computer arithmetic can be done without exceeding the word size. (This method 
was described by Head [He80]). 


a) Show thatO <t<T. 
b) Show that if x and y are nonnegative integers less than n, then 


x=aT+b, y=cT+d, 


where a, b, c, and d are integers such that 0O<a<T, 0<b<T,O0<c<T, and 
O<d<T. 
c) Let z=ad + be (mod n), such that 0 < z < n. Show that 


xy =act+ zT + bd (mod n). 


d) Letac=eT + f, where e and f are integers with 0 < e < T and0< f < T. Show that 


xy=(z+et)T + ft + bd (modn). 


e) Let v =z + et (mod n), such that 0 < v < n. Show that we can write 
v=egT +h, 
where g and / are integers with 0 < g < T,0<h < T, and such that 


xy =hT + (f + g)t + bd (mod n). 


f) Show that the right-hand side of the congruence of part (e) can be computed without 
exceeding the word size, by first finding 7 such that 


J=(C + 2)t (mod n) 
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and 0 < j <a, and then finding k such that 
k= j +d (modn) 
and 0 < k <n, so that 
xy =hT +k (modn). 
This gives the desired result. 


40. Develop an algorithm for modular exponentiation from the base 3 expansion of the exponent. 


41. Find the least positive residue of each of the following. 
a) 3!° modulo 11 c) 5!6 modulo 17 


b) 2!2 modulo 13 d) 3” modulo 23 
e) Can you propose a theorem from the above congruences? 


42. Find the least positive residues of each of the following. 
a) 6! modulo 7 c) 12! modulo 13 


b) 10! modulo 11 d) 16! modulo 17 
e) Can you propose a theorem from the above congruences? 


43. Show that for every positive integer m there are infinitely many Fibonacci numbers f,, such 
that m divides f,,. (Hint: Show that the sequence of least positive residues modulo m of the 
Fibonacci numbers is a repeating sequence.) 


44. Prove Theorem 4.8 using mathematical induction. 


45. Show that the least nonnegative residue modulo m of the product of two positive integers less 
than m can be computed using O(log” m) bit operations. 


46. Five men and a monkey are shipwrecked on an island. The men have collected a pile of 
coconuts that they plan to divide equally among themselves the next morning. Not trusting 
the other men, one of the group wakes up during the night and divides the coconuts into five 
equal parts with one left over, which he gives to the monkey. He then hides his portion of the 
pile. During the night, each of the other four men does exactly the same thing by dividing the 
pile he finds into five equal parts, leaving one coconut for the monkey, and hiding his portion. 
In the morning, the men gather and split the remaining pile of coconuts into five parts and 
one is left over for the monkey. What is the minimum number of coconuts the men could 
have collected for their original pile? 


47. Answer the question in Exercise 46, where instead of five men and one monkey, there are n 
men and k monkeys, and at each stage the monkeys receive one coconut each. 


We say that the polynomials f(x) and g(x) are congruent modulo n as polynomials if for each 
power of x the coefficients of that power in f(x) and g(x) are congruent modulo n. For example, 
11x3 + x? + 2 and x3 — 4x? + 5x + 22 are congruent as polynomials modulo 5. The notation 
f (x) = g(x) (mod n) is often used to denote that f(x) and g(x) are congruent as polynomials 
modulo n. In Exercises 48-52, assume that n is a positive integer with n > 1 and that all 
polynomials have integer coefficients. 


48. a) Show thatif f(x) and g(x) are congruent as polynomials modulo n, then for every integer 
a, f (a) = g(a) (mod n). 
b) Show that it is not necessarily wue that f(x) and g(x) are congruent as polynomials 
modulo n if f(a) = g(a) (mod n) for every integer a. 


49. 


50. 


51. 


52. 
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Show that if f(x) and g,(x) are congruent as polynomials modulo n and f,(x) and g2(x) 
are congruent as polynomials modulo n, then 


a) (fi + fo)(x) and (g; + g2)(x) are congruent as polynomials modulo n. 
b) (f1f2)(x) and (g;g2)(x) are congruent as polynomials modulo n. 


Show that if f(x) is a polynomial with integer coefficients and f(a) = 0 (mod n), then there 
is a polynomial g(x) with integer coefficients such that f(x) and (x — a)g(x) are congruent 
as polynomials modulo n. 


Suppose that p is prime, f(x) is a polynomial with integer coefficients, a), az, ..., ay 
are incongruent integers modulo p, and f(a ) =0 (mod p) for j = 1, 2,..., k. Show that 
there exists a polynomial g(x) with integer coefficients such that f(x) and (x — a))(x — 
Ay) +++ (x — ay)g(x) are congruent as polynomials modulo p. 


Use Exercise 51 to show that if p is a prime, f(x) is a polynomial with integer coefficients, 
and x” is the largest power of x with a coefficient not divisible by p, then the congruence 
f (x) =0 (mod p) has at most n incongruent solutions modulo p. 


Computations and Explorations 


1. 
2. 


Compute the least positive residue modulo 10,403 of 7651871. 


Compute the least positive residue modulo 10,403 of 76512. 


Programming Projects 


1. 
2. 


4.2 


Find the least nonnegative residue of an integer with respect to a fixed modulus. 


Perform modular addition and subtraction when the modulus is less than half of the word size 
of the computer. 


. Perform modular multiplication when the modulus is less than half of the word size of the 


computer, using Exercise 31. 


. Perform modular exponentiation using the algorithm described in the text. 


Linear Congruences 
A congruence of the form 
ax =b(modm), 


where x is an unknown integer, is called a linear congruence in one variable. In this 
section, we will see that the study of such congruences is similar to the study of linear 
diophantine equations in two variables. 


We first note that if x = xg is a solution of the congruence ax = b (mod m), and if 
Xx, = Xp (mod m), then ax; = axg = b (mod m), so that x, is also a solution. Hence, if 
one member of a congruence class modulo m is a solution, then all members of this class 
are solutions. Therefore, we may ask how many of the m congruence classes modulo 
m give solutions; this is exactly the same as asking how many incongruent solutions 
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there are modulo m. The following theorem tells us when a linear congruence in one 
variable has solutions, and if it does, tells exactly how many incongruent solutions there 
are modulo m. 


Theorem 4.11. Leta, b, and m be integers such that m > 0 and (a, m) =d.Ifd J b, 
then ax = b (mod m) has no solutions. If d | b, then ax = b (mod m) has exactly d 
incongruent solutions modulo m. 


Proof. By Theorem 4.1, the linear congruence ax = b (mod m) is equivalent to the 
linear diophantine equation in two variables ax — my = b. The integer x is a solution of 
ax = b (mod m) if and only if there is an integer y such that ax — my = b. By Theorem 
3.23, we know that if d J b, there are no solutions, whereas if d | b, ax — my = b has 
infinitely many solutions, given by 


X=Xjpt+(m/d)t, y=yot+(a/d)t, 


where x = xg and y = yo is a particular solution of the equation. The values of x given 
above, 


x=X+(m/d)t, 
are the solutions of the linear congruence; there are infinitely many of these. 


To determine how many incongruent solutions there are, we find the condition 
that describes when two of the solutions x; = x9 + (m/d)t, and x2 = x9 + (m/d)tp are 
congruent modulo m. If these two solutions are congruent, then 


Xo + (m/d)t; = x9 + (m/d)tz (mod m). 
Subtracting xp from both sides of this congruence, we find that 
(m/d)t,; = (m/d)t2 (mod m). 
Now (m, m/d) = m/d because (m/d) | m, so that by Theorem 4.4, we see that 
t; = t> (mod d). 


This shows that a complete set of incongruent solutions is obtained by taking x = 
Xo + (m/d)t, where t ranges through a complete system of residues modulo d. One 
such set is given by x = x9 + (m/d)t, where t = 0, 1, 2,...,d —1. r 


A linear congruence where the multiplier a and the modulus m are relatively prime 
has a unique solution, as Corollary 4.11.1 shows. 
Corollary 4.11.1. If a and m are relatively prime integers with m > 0 and 5 is an 


integer, then the linear congruence ax = b (mod m) has a unique solution modulo m. 


Proof. Because (a, m) = 1, we know that (a, m) | b. Consequently, by Theorem 4.11, it 
follows that the congruence ax = b (mod m) has exactly (a, m) = 1 incongruent solution 
modulo m. rT 


We now illustrate the use of Theorem 4.11. 
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Example 4.12. To find all solutions of 9x = 12 (mod 15), we first note that because 
(9, 15) = 3 and 3| 12, there are exactly three incongruent solutions. We can find these 
solutions by first finding a particular solution and then adding the appropriate multiples 
of 15/3 =5. 


To find a particular solution, we consider the linear diophantine equation 9x — 15y = 
12. The Euclidean algorithm shows that 


15=9-1+6 
9=6-1+3 
6=3-2, 


so that 3 =9-—6-1=9-—(15-—9-1)=9-2-—15. Hence, 9-8—15-4=12,anda 
particular solution of 9x — 15y = 12 is given by xg = 8 and yo = 4. 


From the proof of Theorem 4.11, we see that a complete set of three incongruent 
solutions is given by x = xp = 8 (mod 15), x = x9 + 5 = 13 (mod 15), andx =x)+5- 
2 =18=3 (mod 15). < 


Modular Inverses We now consider congruences of the special form ax = 1 (mod m). 
By Theorem 4.11, there is a solution to this congruence if and only if (a, m) = 1, and 
then all solutions are congruent modulo m. 


Definition. Given anintegera with (a, m) = 1, aninteger solution x of ax = 1 (mod m) 
is called an inverse of a modulo m. 


Example 4.13. Because the solutions of 7x = 1 (mod 31) satisfy x = 9 (mod 31), 9 and 
all integers congruent to 9 modulo 31 are inverses of 7 modulo 31. Analogously, because 
9 -7=1(mod 3)), 7 is an inverse of 9 modulo 31. < 


When we have an inverse of a modulo m, we can use it to solve any congruence 
of the form ax = b (mod m). To see this, let a be an inverse of a modulo m, so that 
aa = 1 (mod m). Then, ifax = b (mod m), we can multiply both sides of this congruence 
by a to find that a(ax) = ab (mod m), so that x = ab (mod m). 


Example 4.14. To find the solutions of 7x = 22 (mod 31), we multiply both sides of 
this congruence by 9, an inverse of 7 modulo 31, to obtain 9 - 7x =9- 22 (mod 31). 
Hence, x = 198 = 12 (mod 31). < 


Example 4.15. To find all solutions of 7x = 4 (mod 12), we note that because (7, 12) = 
1, there is a unique solution modulo 12. To find this, we need only obtain a solution of 
the linear diophantine equation 7x — 12y = 4. The Euclidean algorithm gives 


12=7-14+5 
T=3*14+2 
Sa=2:2+1 


2= 142, 
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Hence, 1=5—2-2=5-—(7-5-1)-2=5-3-2-7=(12-7-1)-3-2-7=12:- 


3 — 5-7. Therefore, a particular solution to the linear diophantine equation is x9 = —20 
and yo = —12. Hence, all solutions of the linear congruences are given by x = —20= 
4 (mod 12). < 


Later we will want to know which integers are their own inverses modulo p, where 
p is prime. The following theorem tells us which integers have this property. 


Theorem 4.12. Let p be prime. The positive integer a is its own inverse modulo p if 
and only if a = 1 (mod p) ora = —1 (mod p). 


Proof. If a=1(mod p) ora = —1 (mod p), then a* = 1 (mod P), SO that a is its own 
inverse modulo p. 


Conversely, if a is its own inverse modulo p, then a* =a-a = 1(mod p). Hence, 
P| (a* — 1). Because a2 — 1= (a — 1)(a + 1), this implies that p | (a — 1) orp|(a+1). 
Therefore, a = 1 (mod p) ora = —1 (mod p). = 


EXERCISES 


. Find all solutions of each of the following linear congruences. 


a) 2x =5 (mod 7) c) 19x =30(mod 40) _e) 103x = 444 (mod 999) 

b) 3x = 6 (mod 9) d) 9x = 5 (mod 25) f) 980x = 1500 (mod 1600) 
. Find all solutions of each of the following linear congruences. 

a) 3x = 2 (mod 7) c) 17x =14(mod21) _ e) 128x = 833 (mod 1001) 

b) 6x =3 (mod 9) d) 15x = 9 (mod 25) f) 987x = 610 (mod 1597) 


3. Find all solutions to the congruence 6,789,783x = 2,474,010 (mod 28,927,591). 
4. Suppose that p is prime and that a and b are positive integers with (p, a) = 1. The following 


method can be used to solve the linear congruence ax = b (mod p). 


a) Show that if the integer x is a solution of ax = b (mod p), then x is also a solution of the 
linear congruence 


a,x = —b[m/a] (mod p), 


where a, is the least positive residue of p modulo a. Note that this congruence is of 
the same type as the original congruence, with a positive integer smaller than a as the 
coefficient of x. 


b) When the procedure of part (a) is iterated, one obtains a sequence of linear congruences 
with coefficients of x equal to dj = a > a, > a2 > - - - .Show that there is a positive integer 
n with a, = 1, so that at the nth stage, one obtains a linear congruence x = B (mod p). 


c) Use the method described in part (b) to solve the linear congruence 6x = 7 (mod 23). 


. An astronomer knows that a satellite orbits the Earth in a period that is an exact multiple of 


1 hour that is less than 1 day. If the astronomer notes that the satellite completes 11 orbits in 
an interval that starts when a 24-hour clock reads 0 hours and ends when the clock reads 17 
hours, how long is the orbital period of the satellite? 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 
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. For which integers c, 0 < c < 30, does the congruence 12x = c (mod 30) have solutions? 


When there are solutions, how many incongruent solutions are there? 


. For which integers c, 0 < c < 1001, does the congruence 154x = c (mod 1001) have solu- 


tions? When there are solutions, how many incongruent solutions are there? 


. Find an inverse modulo 13 of each of the following integers. 


a) 2 b)3 c)5 d) 11 


. Find an inverse modulo 17 of each of the following integers. 


a) 4 b)5 c)7 d) 16 


a) Determine which integers a, where 1 < a < 14, have an inverse modulo 14. 
b) Find the inverse of each of the integers from part (a) that have an inverse modulo 14. 


a) Determine which integers a, where 1 < a < 30, have an inverse modulo 30. 
b) Find the inverse of each of the integers from part (a) that have an inverse modulo 30. 


Show that if a is an inverse of a modulo m and b is an inverse of b modulo m, then a b is an 
inverse of ab modulo m. 


Show that the linear congruence in two variables ax + by =c (mod m), where a, b, c, and 
m are integers, m > 0, with d = (a, b, m), has exactly dm incongruent solutions if d | c, and 
no solutions otherwise. 


Find all solutions of each of the following linear congruences in two variables. 
a) 2x + 3y = 1 (mod 7) c) 6x + 3y = 0 (mod 9) 
b) 2x + 4y = 6 (mod 8) d) 10x + 5y = 9 (mod 15) 


Let p be an odd prime and k a positive integer. Show that the congruence x? = 1 (mod p*) 
has exactly two incongruent solutions, namely, x = +1 (mod p*). 


Show that the congruence x? = 1 (mod 2*) has exactly four incongruent solutions, namely, 
x =+1 or (1+ 2*—) (mod 2*), when k > 2. Show that when k = 1 there is one solution 
and that when k = 2 there are two incongruent solutions. 


Show that if a and m are relatively prime positive integers such that a < m, then an inverse 
of a modulo m can be found using O (log? m) bit operations. 


Show thatif p is an odd prime and a is a positive integer not divisible by p, then the congruence 
x? =a (mod p) has either no solution or exactly two incongruent solutions. 


Computations and Explorations 


1. 
2. 
3. 


Find the solutions of 123,456,789x = 9,876,543,210 (mod 10,000,000,001). 
Find the solutions of 333,333,333x = 87,543,211,376 (mod 967,454,302,211). 
Find the inverses of 734,342; 499,999; and 1,000,001 modulo 1,533,331. 


Programming Projects 


iF 
2. 


Solve linear congruences using the method given in the text. 


Solve linear congruences using the method given in Exercise 4. 
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4.3 


Congruences 


. Given an integer a relatively prime to a positive integer m > 2, find the inverse of a 


modulo m. 


. Solve linear congruences using inverses. 
. Solve linear congruences in two variables. 


The Chinese Remainder Theorem 


In this and in the following section, we discuss systems of simultaneous congruences. 
We will study two types of such systems: In the first type, there are two or more linear 
congruences in one variable, with different moduli. The second type consists of more 
than one simultaneous congruence in more than one variable, where all congruences 
have the same modulus. 


First, we consider systems of congruences that involve only one unknown, but 
different moduli. Such systems arose in ancient Chinese puzzles such as the following 
problem, which appears in Master Sun’s Mathematical Manual, written late in the third 
century C.E. Find a number that leaves a remainder of 1 when divided by 3, a remainder 
of 2 when divided by 5, and a remainder of 3 when divided by 7. This puzzle leads to 
the following system of congruences: 


x =1(mod 3), x =2 (mod 5), x = 3 (mod 7). 


Problems involving systems of congruences occur in the writings of the Greek 
mathematician Nicomachus in the first century. They also can be found in the works of 
Brahmagupta in India in the seventh century. However, it was not until the year 1247 that 
a general method for solving systems of linear congruences was published by Ch’in Chiu- 
Shao in his Mathematical Treatise in Nine Sections. We now present the main theorem 
concerning the solution of systems of linear congruences in one unknown. This theorem 
is called the Chinese remainder theorem, most likely because of the contributions of 
Chinese mathematicians such as Ch’in Chiu-Shao to its solution. (For more information 
about the history of the Chinese remainder theorem, consult [Ne69], [LiDu87], [Li73], 
and [Ka98].) 


Theorem 4.13. The Chinese Remainder Theorem. Letm,, mp, .. .,m, be pairwise 
relatively prime positive integers. Then the system of congruences 
= a, (mod m,) 


xX =a» (mod mp) 


x =a, (mod m,) 
has a unique solution modulo M = mym2...m,. 


Proof. First, we construct a simultaneous solution to the system of congruences. To 
do this, let M, = M/m, = mym2- ++ my_ m,41-++m,. We know that (M;, m,) = lby 
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Exercise 14 of Section 3.3, because (m pp m,;) = 1 whenever j 4k. Hence, by Theorem 
4.11 we can find an inverse y, of M; modulo m,, so that M; y, = 1 (mod m;). We now 
form the sum 


x =a,Miy\ + a)Moy. + ---+a4,M,y,. 


The integer x is a simultaneous solution of the r congruences. To demonstrate this, 
we must show that x = a, (mod m,) for k = 1, 2,...,7r. Because m, | M j whenever 
J #k, we have M = 0 (mod m;,). Therefore, in the sum for x, all terms except the 
kth term are congruent to 0 (mod m,). Hence, x =a,M,y; = a; (mod m,), because 
Mi y; = 1 (mod m,). We now show that any two solutions are congruent modulo M. 
Let xp and x, both be simultaneous solutions to the system of r congruences. Then, for 
each k, xp = x; = a; (mod m,), so that m, | (x9 — x1). Using Theorem 4.9, we see that 
M | (Xp — x,). Therefore, xp = x, (mod M). This shows that the simultaneous solution 
of the system of r congruences is unique modulo M. | 


We illustrate the use of the Chinese remainder theorem by solving the system that 
arises from the ancient Chinese puzzle. 


Example 4.16. To solve the system 


x = 1 (mod 3) 
x =2 (mod 5) 
x =3(mod 7), 


we have M =3-5-7= 105, M, = 105/3 = 35, Mz = 105/5 = 21, and M3 = 105/7 = 
15. To determine y,, we solve 35y, = 1 (mod 3), or equivalently, 2y, = 1 (mod 3). 


CH’IN CHIU-SHAO (1202-1261) was born in the Chinese province of Sichuan. He 
studied astronomy at Hangzhou, the capital of the Song dynasty. He spent ten years in 
dangerous and difficult conditions at the frontier, where battles with the Mongols under 
Genghis Khan were under way. He wrote that he was instructed in mathematics by a “recluse 
scholar.” During his time at the frontier, he investigated mathematical problems. He selected 
81 of these, divided them into nine classes, and described them in his book Mathematical 
Treatise in Nine Sections. This book covers systems of linear congruences, the Chinese 
remainder theorem, algebraic equations, areas of geometrical figures, systems of linear 
equations, and other topics. 

Ch’in Chiu-Shao was considered to be a mathematical genius and was talented in 
architecture, music, and poetry, as well as in many sports, including archery, fencing, and 
horsemanship. He held several different positions in government, but was relieved of his 
duties many times because of corruption. He was considered to be extravagant, boastful, and 
obsessed with his own advancement. He managed to amass great wealth and through deceit 
had an immense house constructed at a magnificent site. The back of this house contained 
a series of rooms for lodging female musicians and singers. Ch’in Chiu-Shao developed a 
notorious reputation in love affairs. 
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This yields y, = 2 (mod 3). We find y, by solving 21y, = 1 (mod 5); this immedi- 
ately gives y, = 1 (mod 5). Finally, we find y3 by solving 15y3 = 1 (mod 7). This gives 
y3 = 1 (mod 7). Hence, 
x=1-35-242-21-1+3-15-1 
= 157 =52 (mod 105). 
We can check that x satisfies this system of congruences whenever x = 52 (mod 105) 
by noting that 52 = 1 (mod 3), 52 = 2 (mod 5), and 52 = 3 (mod 7). < 


There is also an iterative method for solving simultaneous systems of congruences. 
We illustrate this method with an example. 


Example 4.17. Suppose we wish to solve the system 


x = 1(mod 5) 
x = 2 (mod 6) 
x =3(mod 7). 


We use Theorem 4.1 to rewrite the first congruence as an equality, namely, x = 5t + 1, 
where t¢ is an integer. Inserting this expression for x into the second congruence, we find 
that 


5t + 1=2 (mod 6), 


which can easily be solved to show that t = 5 (mod 6). Using Theorem 4.1 again, we 
write t = 6u + 5, where u is an integer. Hence, x = 5(6u + 5) + 1=30u + 26. When 
we insert this expression for x into the third congruence, we obtain 


30u + 26 = 3(mod 7). 


When this congruence is solved, we find that u = 6 (mod 7). Consequently, Theorem 4.1 
tells us that u = 7v + 6, where v is an integer. Hence, 


x = 30(7v + 6) + 26 = 210v + 206. 
Translating this equality into a congruence, we find that 
x = 206 (mod 210), 
and this is the simultaneous solution. < 
Note that the method we have just illustrated shows that a system of simultaneous 
questions can be solved by successively solving linear congruences. This can be done 


even when the moduli of the congruences are not relatively prime as long as congruences 
are consistent (see Exercises 15—20 at the end of this section). 


Computer Arithmetic Using the Chinese Remainder Theorem The Chinese re- 
mainder theorem provides a way to perform computer arithmetic with large integers. 
To store very large integers and do arithmetic with them requires special techniques. 
The Chinese remainder theorem tells us that given pairwise relatively prime moduli m,, 
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m,..., M,, a positive integer n such that n < M =m m)---m, is uniquely deter- 
mined by its least positive residues modulo m, for j = 1, 2, . . . , 7. Suppose that the 
word size of a computer is only 100, but that we wish to do arithmetic with integers as 
large as 10°. First, we find pairwise relatively prime integers less than 100 with a product 
exceeding 10°; for instance, we can take m, = 99, m> = 98, m3 = 97, and m4 = 95. We 
convert integers less than 10° into 4-tuples consisting of their least positive residues mod- 
ulo m,, my, m3, and m4. (To convert integers as large as 10° into their list of least positive 
residues, we need to work with large integers using multiprecision techniques. However, 
this is done only once for each integer in the input and once for the output.) Then, for 
instance, to add integers, we simply add their respective least positive residues modulo 
mM, M», M3, and m4, making use of the fact that if x = x; (mod m;) and y = y; (mod m,), 
then x + y =x; + y; (mod m;). We then use the Chinese remainder theorem to convert 
the set of four least positive residues for the sum back to an integer. 


The following example illustrates this technique. 


Example 4.18. We wish to add x = 123,684 and y = 413,456 on a computer of word 
size 100. We have 


x =33 (mod 99) y =32 (mod 99) 
x= 8(mod98) y=92 (mod 98) 
x= 9(mod97) y= 42 (mod 97) 
x = 89 (mod 95) y=16 (mod 95) 
so that 
x + y =65 (mod 99) 
x+y= 2(mod 98) 
x + y =51 (mod 97) 
x + y =10 (mod 95). 
We now use the Chinese remainder theorem to find x + y modulo 99 - 98 - 97-95. 
We have M = 99- 98 - 97-95 = 89,403,930, M, = M/99 = 903,070, My = M/98 = 
912,285, M3 = M/97 = 921,690, and M, = M/95 = 941,094. We need to find the 
inverse of M; (mod y;) fori = 1, 2, 3, 4. To do this, we solve the following congruences 
(using the Euclidean algorithm): 
903,070y, = 91y, = 1 (mod 99) 
912,285y, = 3y2 = 1 (mod 98) 
921,690 y3 = 93y3 = 1 (mod 97) 
941,094 y, = 24y, = 1 (mod 95). 
We find that y, = 37 (mod 99), y, = 35 (mod 98), y3 = 24 (mod 97), and yz=4 
(mod 95). Hence, 
x + y =65 - 903,070 - 37 + 2 - 912,285 - 33 + 51 - 921,690 - 24 + 10 - 941,094 - 4 
= 3,397,886,480 
= 537,140 (mod 89,403,930). 
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Because 0 < x + y < 89,403,930, we conclude that x + y = 537,140. < 


On most computers, the word size is a large power of 2, with 2° a common value. 


Hence, to use modular arithmetic and the Chinese remainder theorem to do computer 
arithmetic, we need integers less than 2° that are pairwise relatively prime and that 
multiply together to give a large integer. To find such integers, we use numbers of the 
form 2” — 1, where m is a positive integer. Computer arithmetic with these numbers 
turns out to be relatively simple (see [Kn97]). To produce a set of pairwise relatively 
prime numbers of this form, we first prove two lemmas. 


Lemma 4.2. If a and b are positive integers, then the least positive residue of 27 — 1 
modulo 22 — 1 is 2” — 1, where r is the least positive residue of a modulo b. 


Proof. From the division algorithm, a = bq +r, where r is the least positive residue 
of a modulo b. We have 22 — 1= 259+" — 1= (28 — 1)(22@-Dtr 4... 4. 2b+r 4 or) 4 
(2” — 1), which shows that the remainder when 2° — 1 is divided by 25 — 1is 2” — 1; this 
is the least positive residue of 2* — 1 modulo 2? — 1. rT 


We use Lemma 4.2 to prove the following result. 


Lemma 4.3. Ifaand bare positive integers, then the greatest common divisor of 2° — 1 
and 2° — lis 2@5) — 1, 


Proof. Without loss of generality, we assume that a > b. When we perform the Eu- 
clidean algorithm with a = ro and b = rj, we obtain 


LAW) =rjq,+12 0<1m <r, 
r\ = 19GQ,_ + 13 0<73<1% 
Tn—-3 = Tn—29n-2 + Tn-1 O< M-1<'n-2 


Tnh—-2 = "n-19n-1» 
where the last remainder, r,,_;, is the greatest common divisor of a and b. 


Now, we apply the Euclidean algorithm a second time to the pair Rp = 2° — 1 and 
R, = 2° — 1, applying Lemma 4.2 to obtain the remainder at each step: 


Ro =R\Qi+ Rp Ry =22-1 
Ry =R.Q.+ R3 R,; =23-1 
Ry—3 = Rn—2Qn—2 + Rn-1 R,-, = 21-1 


Ry-2 = Rn-1Qn-1- 
Here, the last nonzero remainder, R,,_; = 2’"-1 — 1= 2@) — 1, is the greatest common 
divisor of Ro and Rj. a 


Using Lemma 4.3, we have the following theorem. 
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Theorem 4.14. The positive integers 2* — 1 and 2° — 1 are relatively prime if and only 
if a and b are relatively prime. 


We can now use Theorem 4.14 to produce a set of pairwise relatively prime integers, 
each of which is less than 2°, with product greater than a specified integer. Suppose 
that we wish to do arithmetic with integers as large as 2!84. We pick m, = 2° — 1, 
my = 24 — 1,m3 = 233 — 1, m4 = 23! — 1,m5 = 2” — 1, and mg = 273 — 1. Because the 
exponents of 2 in the expressions for the m ; are pairwise relatively prime, by Theorem 
4.13 the m ; are pairwise relatively prime. Also, we have M = mymym3m4msme > Di. 
We can now use modular arithmetic and the Chinese remainder theorem to perform 
arithmetic with integers as large as 2184. 


Although it is somewhat awkward to do computer operations with large integers 
using modular arithmetic and the Chinese remainder theorem, there are some definite 
advantages to this approach. First, on many high-speed computers, operations can be 
performed simultaneously. So, reducing an operation involving two large integers to 
a set of operations involving smaller integers, namely, the least positive residues of the 
large integers with respect to the various moduli, leads to simultaneous computations that 
may be performed more rapidly than one operation with large integers, especially when 
parallel processing is used. Second, even without taking into account the advantages of 
simultaneous computations, multiplication of large integers may be done faster using 
these ideas than with many other multiprecision methods. The interested reader should 
consult Knuth [Kn97]. 


EXERCISES 


1. Which integers leave a remainder of 1 when divided by both 2 and 3? 


2. Find an integer that leaves a remainder of 1 when divided by either 2 or 5, but that is divisible 
by 3. 


3. Find an integer that leaves a remainder of 2 when divided by either 3 or 5, but that is divisible 
by 4. 


4. Find all the solutions of each of the following systems of linear congruences. 


a) x =4(mod 11) c) x =0 (mod 2) d) x =2 (mod 11) 
x =3 (mod 17) x = 0 (mod 3) x =3 (mod 12) 
x = 1(mod 5) x =4 (mod 13) 
b) x =1(mod 2) x = 6 (mod 7) x =5 (mod 17) 
x = 2 (mod 3) x = 6 (mod 19) 

x =3 (mod 5) 


5. Find all the solutions to the system of linear congruences x = 1 (mod 2), x = 2 (mod 3), 
x =3 (mod 5), x = 4 (mod 7), and x = 5 (mod 11). 


6. Find all the solutions to the system of linear congruences x = 1 (mod 999), x = 2 (mod 1001), 
x = 3 (mod 1003), x = 4 (mod 1004), and x = 5 (mod 1007). 
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10. 


11. 


12. 


13. 


14. 


Congruences 


. A troop of 17 monkeys store their bananas in 11 piles of equal size, each containing more 


than 1 banana, with a twelfth pile of 6 left over. When they divide the bananas into 17 equal 
groups, none remain. What is the smallest number of bananas they can have? 


. As an odometer check, a special counter measures the miles a car travels modulo 7. Explain 


how this counter can be used to determine whether the car has been driven 49,335; 149,335; 
or 249,335 miles when the odometer reads 49,335 and works modulo 100,000. 


. Chinese generals counted troops remaining after a battle by lining them up in rows of 


different lengths, counting the number left over each time, and calculating the total from 
these remainders. If a general had 1200 troops at the start of a battle and if there were 3 left 
over when they lined up 5 at a time, 3 left over when they lined up 6 at a time, 1 left over 
when they lined up 7 at a time, and none left over when they lined up 11 at a time, how many 
troops remained after the battle? 


Find an integer that leaves a remainder of 9 when it is divided by either 10 or 11, but that is 
divisible by 13. 


Find a multiple of 11 that leaves a remainder of 1 when divided by each of the integers 2, 3, 5, 
and 7. 


Solve the following ancient Indian problem: If eggs are removed from a basket 2, 3, 4,5, and 
6 at a time, there remain, respectively, 1, 2, 3, 4, and 5 eggs. But if the eggs are removed 7 at 
a time, no eggs remain. What is the least number of eggs that could have been in the basket? 


Show that there are arbitrarily long strings of consecutive integers each divisible by a perfect 
square greater than 1. (Hint: Use the Chinese remainder theorem to show that there is a 
simultaneous solution to the system of congruences x = 0 (mod 4), x = —1 (mod 9), x = —2 
(mod 25),...,x =—k+ 1 (mod P?), where p; is the kth prime.) 


Show that if a, b, and ¢ are integers such that (a, b) = 1, then there is an integer n such that 
(an+ b,c) =1. 


In Exercises 15—18, we will consider systems of congruences where the moduli of the congruences 
are not necessarily relatively prime. 


15. 


16. 


17. 


18. 


Show that the system of congruences 
x =a, (mod m)) 
x =a (mod m) 


has a solution if and only if (m,, m2) | (a; — a2). Show that when there is a solution, it is 
unique modulo [m,, m]. (Hint: Write the first congruence as x = a, + km,, where k is an 
integer, and then insert this expression for x into the second congruence.) 


Using Exercise 15, solve each of the following simultaneous systems of congruences. 
a) x =4 (mod 6) b) x =7 (mod 10) 
x = 13 (mod 15) x =4 (mod 15) 
Using Exercise 15, solve each of the following simultaneous systems of congruences. 
a) x = 10 (mod 60) b) x =2 (mod 910) 
x = 80 (mod 350) x = 93 (mod 1001) 
Does the system of congruences x = 1 (mod 8), x = 3(mod 9), and x = 2 (mod 12) have any 


simultaneous solutions? 
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What happens when the moduli in a simultaneous system of more than two congruences in one 
unknown are not pairwise relatively prime (such as in Exercise 18)? The following exercise 
provides compatibility conditions for there to be a unique solution of such a system, modulo 
the least common multiple of the moduli. 


19. Show that the system of congruences 
x =a, (mod m}) 


x =a, (mod m) 


x =a, (mod m,) 


has a solution if and only if (m;, mj) | (a; —;) for all pairs of integers (i, j), where 
1<i <j <r. Show that if a solution exists, then it is unique modulo [m,, m2, ..., m,]. 
(Hint: Use Exercise 15 and mathematical induction.) 


20. Using Exercise 19, solve each of the following systems of congruences. 


a) x =5 (mod 6) c) x =2 (mod 9) e) x =7 (mod 9) 
x =3 (mod 10) x = 8 (mod 15) x =2 (mod 10) 
x = 8 (mod 15) = 10 (mod 25) x =3 (mod 12) 
b) x =2 (mod 14) d) x =2 (mod 6) x = 6 (mod 15) 
x = 16 (mod 21) x = 4 (mod 8) 
x = 10 (mod 30) x =2 (mod 14) 


x = 14 (mod 15) 


21. What is the smallest number of lobsters in a tank if 1 lobster is left over when they are removed 
2, 3, 5, or 7 at a time, but no lobsters are left over when they are removed 11 at a time? 


22. An ancient Chinese problem asks for the least number of gold coins a band of 17 pirates 
could have stolen. The problem states that when the pirates divided the coins into equal piles, 
3 coins were left over. When they fought over who should get the extra coins, one of the 
pirates was slain. When the remaining pirates divided the coins into equal piles, 10 coins 
were left over. When the pirates fought again over who should get the extra coins, another 
pirate was slain. When they divided the coins in equal piles again, no coins were left over. 
What is the answer to this problem? 


23. Solve the following problem originally posed by Ch’in Chiu-Shao (using different weight 
units). Three farmers equally divide a quantity of rice with a weight that is an integral number 
of pounds. The farmers each sell their rice, selling as much as possible, at three different 
markets where the markets use weights of 83 pounds, 110 pounds, and 135 pounds, and only 
buy rice in multiples of these weights. What is the least amount of rice the farmers could have 
divided if the farmers retum home with 32 pounds, 70 pounds, and 30 pounds, respectively? 


24. Using the Chinese remainder theorem, explain how to add and how to multiply 784 and 813 
on a computer of word size 100. 


An integer x > 2 with n base b digits is called an automorph to the base b if the last n base b 
digits of x” are the same as those of x. 


* 25. Find the base 10 automorphs with four digits (with initial zeros allowed). 


* 26. How many base b automorphs are there with n or fewer base b digits if b has prime-power 
factorization b = ot Ds wae pet? 
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According to the theory of biorhythms, there are three cycles in your life that start the day you are 
bom. These are the physical, emotional, and intellectual cycles, of lengths 23, 28, and 33 days, 
respectively. Each cycle follows a sine curve with period equal to the length of that cycle, starting 
with value 0, climbing to value 1 one-quarter of the way through the cycle, dropping back to value 
0 one-half of the way through the cycle, dropping further to value —1 three-quarters of the way 
through the cycle, and climbing back to value 0 at the end of the cycle. 


Answer Exercises 27-29 about biorhythms, measuring time in quarter days (so that the units will 
be integers). 


27. For which days of your life will you be at a triple peak, where all of your three cycles are at 
maximum values? 


28. For which days of your life will you be at a triple nadir, where all three of your cycles have 
minimum values? 


29. When in your life will all three cycles be at a neutral position (value 0)? 


A set of congruences to distinct moduli greater than 1 that has the property that every integer 
satisfies at least one of the congruences is called a covering set of congruences. 


30. Show that the set of congruences x =0 (mod 2), x =0 (mod 3), x =1(mod 4), x =1 
(mod 6), and x = 11 (mod 12) is a covering set of congruences. 


31. Show that the system of congruence x = 1 (mod 2), x =2 (mod 4), x = 1 (mod 3), x = 
8 (mod 12), x = 4 (mod 8), and x = 0 (mod 24) is a covering set of congruences. 


32. Show that the system of congmence x = 1 (mod 2), x =0 (mod 4), x =0 (mod 3), x = 
2 (mod 12), x =2 (mod 8), and x = 22 (mod 24) is a covering set of congruences. 


33. Show that thesetof congruences x = 0 (mod 2), x = 0(mod 3), x = 0 (mod 5), x =0 (mod 7), 
x =1(mod 6), x = 1(mod 10), x = 1(mod 14), x =2 (mod 15), x =2(mod2l), x= 
23 (mod 30), x = 4 (mod 35), x =5 (mod 42), x =59 (mod 70), and x = 104 (mod 105) 
is a covering set of congruences. 


34. Let m be a positive integer with prime-power factorization m = 270 Pi Py - ++ p’r, Show that 


the congruence x27=1 (mod m) has exactly 2’t¢ solutions, where e = 0 if ag =Oorl,e=1 
if ag = 2, and e = 2 if ag > 2. (Hint: Use Exercises 15 and 16 of Section 4.2.) 


35. The three children in a family have feet that are 5 inches, 7 inches, and 9 inches long. When 
they measure the length of the dining room of their house using their feet, they each find that 
there are 3 inches left over. How long is the dining room? 


36. Find all solutions of the congruence x? + 6x — 31=0 (mod 72). (Hint: First note that 72 = 
2332, Find, by trial and error, the solutions of this congruence modulo 8 and modulo 9. Then 
apply the Chinese remainder theorem.) 


37. Find all solutions of the congruence x” + 18x — 823 = 0 (mod 1800). (Hint: First note that 
1800 = 233252. Find, by trial and error, the solutions of this congruence modulo 8, modulo 
9, and modulo 25. Then apply the Chinese remainder theorem.) 


38. Given a positive integer R, a prime p that is the only prime between p — R and p+ R, 
including the end points, is called R-reclusive. Show that for every positive integer R, there 
are infinitely many R-reclusive primes. (Hint: Use the Chinese remainder theorem to find an 
integer x such that x — j is divisible by p, and x + j is divisible by pr, ;, where p, is the 
kth prime. Then invoke Dirichlet’s theorem on primes in arithmetic progressions.) 
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Computations and Explorations 


1. Solve the simultaneous system of congruences x = 1 (mod 12,341,234,567), x =2 (mod 
750,000,057), and x = 3 (mod 1,099,511,627,776). 


2. Solve the simultaneous system of congruences x = 5269 (mod 40,320), x = 1248 (mod 
11,111), x = 16,645 (mod 30,003), and x = 2911 (mod 12,321). 


3. Using Exercise 13 of this section, find a string of 100 consecutive positive integers each 
divisible by a perfect square. Can you find such a set of smaller integers? 


4. Find a covering set of congruences (as described in the preamble to Exercise 30) where the 
smallest modulus of one of the congruences in the covering set is 3, where the smallest 
modulus of one of the congruences in the covering set is 6, and where the smallest modulus 
of one of the congruences in the covering set is 8. 


Programming Projects 


— 


- Solve systems of linear congruences of the type found in the Chinese remainder theorem. 
2. Solve systems of linear congruences of the type given in Exercises 15-20. 


3. Add large integers exceeding the word size of a computer using the Chinese remainder 
theorem. 


4. Multiply large integers exceeding the word size of a computer using the Chinese remainder 
theorem. 


5. Given a positive integer b > 1, find automorphs to the base b than 1 (see the preamble to 
Exercise 25). 


6. Plot biorhythm charts and find triple peaks and triple nadirs (see the preamble to Exercise 
27). 


Solving Polynomial Congruences 


This section provides a useful tool that can be used to help find solutions of congruences 
of the form f (x) = 0 (mod m), where f (x) is a polynomial of degree greater than 1 with 
integer coefficients. An example of such a congruence is 2x3 + 7x — 4 =0 (mod 200). 


We first note that if m has prime-power factorization m = p{'p,”... p,*, then 
solving the congruence f(x) =0 (mod m) is equivalent to finding the simultaneous 
solutions to the system of congruences 


f(x) =0 (mod p;"), i=1,2,...,k. 


Once the solutions of each of the k congruences modulo D;' are known, the solutions 
of the congruence modulo m can be found by the Chinese remainder theorem. This is 
illustrated in the following example. 
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Example 4.19. Solving the congruence 
2x3 + 7x — 4 = 0 (mod 200) 
reduces to finding the solutions of 
2x3 + 7x — 4 =0 (mod 8) 
and 
2x3 + 7x — 4=0 (mod 25), 


because 200 = 235%. The solutions of the congruence modulo 8 are all integers x = 
4 (mod 8) (for x to be a solution x must be even; the cases where x is odd can be quickly 
checked). In Example 4.20, we will see that the solutions modulo 25 are all integers 
x = 16 (mod 25). When we use the Chinese remainder theorem to solve the simultaneous 
congruences x = 4 (mod 8) and x = 16 (mod 25), we find that the solutions are all 
x = 116 (mod 200) (as the reader should verify). These are solutions of 2x34+7x-4= 
0 (mod 200). < 


We will see that there is a relatively simple way to solve polynomial congruences 
modulo p*, once all solutions modulo p are known. We will show that solutions modulo 
p can be used to find solutions modulo p*, solutions modulo p? can be used to find 
solutions modulo p?, and so on. Before introducing the general method, we present an 
example illustrating the basic idea used to find solutions of a polynomial congruence 
modulo p* from those modulo p. 


Example 4.20. The solutions of 
2x? + 7x — 4=0 (mod 5) 


are the integers with x = 1 (mod 5), as can be seen by testing x = 0, 1, 2, 3, and 4. 
How can we find the solutions modulo 25? We could check all 25 different values x = 
0, 1, 2, ..., 24. However, there is a more systematic method. Because any solution of 


2x3 + 7x — 4 =0 (mod 25) 


is also a solution modulo 5, and all solutions modulo 5 satisfy x = 1 (mod 5), it follows 
that x = 1+ St, where t is an integer. We can solve for t by substituting 1 + St for x. We 
obtain 


2(1 + 5t)? + 7(1 + 5t) — 4 =0 (mod 25). 
Simplifying, we obtain a linear congruence for t, namely, 
65t + 5 = 15t +5=0 (mod 25). 
By Theorem 4.5, we can eliminate a factor of 5, so that 


3t + 1=0 (mod 5). 
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The solutions of this congruence are t = 3 (mod 5). This means that the solutions modulo 
25 are those x for which x = 1+ 5t =1+5-3= 16 (mod 25). The reader should verify 
that these are indeed solutions. < 


We will now introduce a general method that will help us find the solutions of 
congruences modulo prime powers. In particular, we will show how the solutions of 
the congruence f(x) =0 (mod p*), where p is prime and & is a positive integer with 
k > 2, can be found from those of the congruence f (x) = 0 (mod p*-}). The solutions 
of the congruence modulo p* are said to be lifted from those modulo p*~!. The theorem 
uses f’(x), the derivative of f. However, we will not need results from calculus. Instead, 
we can define the derivative of a polynomial directly and describe the properties that we 
will need. 


Definition. Let f(x) =a,x”" +a,_,x""!+.--++ a,x + ap, where a; is a real number 
for i =0, 1, 2,...,. The derivative of f(x), denoted by f’(x), equals na, x" 14 
(n = 1)a,_yx"~? ae Q\. 


Starting with a polynomial, we can find its derivative and then find the derivative of 
its derivative, and so on. We can define the kth derivative of a polynomial f(x), denoted 
by f(x), as the derivative of the (k — 1)st derivative, that is, f(x) = (f*-)(x). 


We will find the following two lemmas helpful. We leave their proofs to the reader. 


Lemma 4.4, If f(x) and g(x) are polynomials and c is aconstant, then (f + g)'(x) = 
f'(x) + g’(x) and (cf)'(x) = c(f’(x)). Furthermore, if k is a positive integer, then 
(f + g)©(x) = f(x) + g(x) and (cf) (x) = c( f(x). 


Lemma 4.5. If m and k are positive integers and f(x) =x”, then f © (x) = m(m — 
1) ---(m—k + Dx™*, 


We can now state the result that can be used to lift solutions of polynomial con- 
gruences. It is called Hensel’s lemma after the German mathematician Kurt Hensel, who 
discovered it in work leading to the invention of the field of mathematics known as p-adic 
analysis. 


Theorem 4.15. Hensel’s Lemma. Suppose that f(x) is a polynomial with integer 
coefficients k is an integer with k > 2, and p is a prime. Suppose further that r is a 
solution of the congruence f(x) = 0 (mod p*- 1) Then, 


(i) if f’(r) $0 (mod p), then there is a unique integer t, 0 < t < p, such that 
f(r + tp*-!) =0 (mod p*), given by 
t=—f'(r)(f(r)/p*') (mod p), 


where f’(r) is an inverse of f’(r) modulo p; 


(ii) if f’(r) =0 (mod p) and f(r) =0 (mod p‘), then f (r + tp*—!) =0 (mod p*) 
for all integers t; 
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(iii) if f’(r) =0 (mod p) and f(r) #0 (mod p‘*), then f(x) =0 (mod p*) has no 
solutions with x = r (mod p*~}). 


In case (i), we see that a solutionto f(x) =0 (mod p*—}) lifts to a unique solution of 
f (x) =0 (mod p*), and in cases (ii) and (iii), such a solution either lifts to p incongruent 
solutions modulo p* or to none at all. 7 


We defer the proof of Theorem 4.15 until we have established the following lemma 
about Taylor expansions. 


Lemma 4.6. If f(x) is a polynomial of degree n and a and b are real numbers, then 
fat b) = f@) + fab + f"(a)b’/21+--- + F(ab" /n}, 


where for every given value of a the coefficients (namely, 1, f’(a), f”(a)/2!, ..., 
f™ (a)/n!) are polynomials in a with integer coefficients. 


Proof. Every polynomial f of degree n is the sum of multiples of the functions x”, 
where m <n. Furthermore, by Lemma 4.4, we need only establish Lemma 4.6 for the 
polynomials f,,(x) = x™, where m is a positive integer. 


By the binomial theorem, we have 
m 
(a + by™ = be (")an-v0, 
j=o SJ 


By Lemma 4.5, we know that £9) (a) = m(m — 1) ---(m— j + la™J. Hence, 
FY OLi!= @ie 
J 


Because (") is an integer for all integers m and j such that 0 < j < m, the coefficients 
f£Y(@)/j! are integers. This completes the proof. 7 


able to use the p-adic numbers to prove many results in number theory, and these numbers have had a 
major impact on the development of algebraic number theory. Hensel served as a professor at the Uni- 
versity of Marburg until 1930. He was the editor for many years of the famous mathematical journal 
known as Crelie’s Journal, whose official name is Journal fiir die reine und angewandte Mathematik. 


KURT HENSEL (1861-1941) was born in K6nigsberg, Prussia (now Kalin- 
ingrad, Russia). He studied mathematics in Berlin, and later in Bonn, under 
many leading mathematicians, including Kronecker and Weierstrass. Much of 
his work involved the development of arithmetic in algebraic number fields. 
Hensel is best known for inventing the p-adic numbers in 1902, in work on rep- 
resentations of algebraic numbers in terms of power series. The p-adic numbers 
can be thought of as a completion of the set of rational numbers that is different 
from the usual completion that produces the set of real numbers. Hensel was 
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Now that we have all the ingredients needed to prove Hensel’s lemma, we embark 
on its proof. 


Proof. If r is a solution of f(r) =0 (mod p‘), then it is also a solution of f(r) = 
0 (mod p*—). Hence, it equals r + tp*—! for some integer t. The proof follows once we 
have determined the conditions on ft. 


By Lemma 4.6, it follows that 
" (n) 
for tep) = fo) t fronip 14 LO = (op a (tp)", 
where f ®)(r) /k\ is an integer for k = 1, 2,...,. Given that k > 2, it follows that 
k < m(k — 1) and pk | pm&k-D for 2 < m <n. Hence, 


f(r +tp*}) =f) + f’()tp* (mod p*). 


Because r + tp*—! is a solution of f(r + tp*—!) =0(mod p*), it follows that 
f'r)tp*! = — f(r) (mod p*). 


Furthermore, we can divide this congruence by pe, because f(r) = 0 (mod p 
When we do so and rearrange terms, we obtain a linear congruence in ¢t, namely, 


f'~)t = —f(r)/p* (mod p). 


By examining its solutions modulo p, we can prove the three cases of the theorem. 


mss 


Suppose that f’(r) 4 0 (mod p). It follows that (f’(r), p) = 1. Applying Corollary 
4.11.1, we see that the congruence for ¢ has a unique solution, 


t =(—f(r)/p*) f'@) (mod p), 
where f’(r) is an inverse of f’(r) modulo p. This establishes case (i). 


When f’(r) = 0 (mod p), we have (f'(r), p) = p. By Theorem 4.11, if p | (f(r)/ 
p*-}), which holds if and only if f(r) = 0 (mod p*), then all values ¢ are solutions. This 
means that x =r + tp*-! is a solution fort = 0, 1, ..., p — 1. This establishes case (ii). 


Finally, consider the case when f’(r) = 0 (mod p), but p J (f(r)/ p*—'). We have 
(f'(r), p) = pand f(r) £0 (mod p*); so, by Theorem 4.11, no values of ¢ are solutions. 
This completes case (iii). rT 


The following corollary shows that we can repeatedly lift solutions, starting with a 
solution modulo p, when case (i) of Hensel’s lemma applies. 


Corollary 4.15.1. Suppose that 7 is a solution of the polynomial congruence f(x) = 
0 (mod p), where p is a prime. If f’(r) 4 0 (mod p), then there is a unique solution r; 
modulo p*, k = 2, 3,..., such that r; =7 and 


re = M1 —- fev F'O), 


where f’(r) is an inverse of f’(r) modulo p. 
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Proof. Using the hypotheses, we see by Hensel’s lemma that r lifts to a unique solution 
ro modulo p* with r, =r + tp, where t = — f’(r)(f (r)/p). Hence, 


rm=r—fr)f'(). 


Because r, =r (mod p), it follows that f’(r2) = f’(r) 4 0 (mod p). Using Hensel’s 
lemma again, we see that there is a unique solution r; modulo p?, which can be shown 
to be 73 = rp — f (r2) f’(r). If we continue in this way, we find that the corollary follows 
for all integers k > 2. a 


The following examples illustrate how Hensel’s lemma is applied. 


Example 4.21. Find the solutions of 
x3 + x? +29 =0 (mod 25). 


Let f(x) = x? + x” + 29. We see (by inspection) that the solutions of f(x) = 0 (mod 5) 
satisfy x = 3(mod 5). Because f’(x) = 3x*+2x and f’(3) = 33 =3 #40 (mod 5), 
Hensel’s lemma tells us that there is a unique solution modulo 25 of the form 3 + 52, 
where 


t = — f'(3)(f(3)/5) (mod 5). 


Note that f’(3) = 3 = 2, because 2 is inverse to 3 modulo 5. Also note that f(3)/5 = 
65/5 = 13. It follows that t = —2 - 13 = 4 (mod 5). We conclude that x =3+5-4= 23 
is the unique solution of f(x) = 0 (mod 25). < 


Example 4.22. Find the solutions of 
x? +x +7=0 (mod 27). 


Let f(x) =x? +x +7. We find (by inspection) that the solutions of f(x) = 0 (mod 3) 
are the integers with x = 1 (mod 3). Because f’(x) =2x +1, we see that f’(1) = 
3 = 0 (mod 3). Furthermore, because f(1) = 9 = 0 (mod 9), we can apply case (ii) of 
Hensel’s lemma to conclude that 1+ 3¢ is a solution modulo 9 for all integers t. This 
means that the solutions modulo 9 are x = 1, 4, or 7 (mod 9). 


Now, by case (iii) of Hensel’s lemma, because f (1) = 9 # 0 (mod 27), there are no 
solutions of f(x) = 0 (mod 27) with x = 1 (mod 9). Because f (4) = 27 = 0 (mod 27), 
by case (ii), 4 + 9t is a solution modulo 27 for all integers t. This shows that all x = 4, 13, 
or 22 (mod 27) are solutions. Finally, by case (iii), because f (7) = 63 4 0 (mod 27), 
there are no solutions of f(x) =0 (mod 27) with x =7 (mod 9). 


Putting everything together, we see that all solutions of f (x) = 0 (mod 27) are those 
x =4, 13, or 22 (mod 27). < 


Example 4.23. What are the solutions of f (x) = x? + x? + 2x + 26 =0 (mod 343)? 
By inspection, we see that the solutions of x? + x* + 2x + 26 =0 (mod 7) are the 
integers x =2 (mod 7). Because f’(x) = 3x? + 2x +2, it follows that f’(2) =18# 
0 (mod 7). We can use Corollary 4.15.1 to find solutions modulo T fork =2,3,.... 


Noting that /”(2) =4=2, we find that 7, =2 — f(2)f/2)=2-42-2=-82= 


4.4 


* 12. 


* 13. 
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16 (mod 49), and r3 = 16 — f(16) f’(2) = 16 — 4410 - 2 = —8804 = 114 (mod 343). 
It follows that the solutions modulo 343 are the integers x = 114 (mod 343). < 


EXERCISES 


. Find all the solutions of each of the following congruences. 


a) x* + 4x +2=0 (mod 7) 
b) x2 + 4x +2 =0 (mod 49) 
c) x2 + 4x + 2 =0 (mod 343) 


. Find all the solutions of each of the following congruences. 


a) x3 + 8x2 —x —1=0 (mod 11) 
b) x3 + 8x2 — x — 1=0 (mod 121) 
c) x3 + 8x2 — x —1=0 (mod 1331) 


. Find the solutions of the congruence x? + x + 47 = 0 (mod 2401). (Note that 2401 = 74.) 

. Find the solutions of x? + x + 34 =0 (mod 81). 

. Find all solutions of 13x? — 42x — 649 = 0 (mod 1323). 

. Find all solutions of x® — x4 + 1001 = 0 (mod 539). 

. Find all solutions of x* + 2x + 36 = 0 (mod 4375). 

. Find all solutions of x6 — 2x° — 35 = 0 (mod 6125). 

. How many incongruent solutions are there to the congruence 5x? + x? + x + 1=0 (mod 64)? 
. How many incongruent solutions are there to the congruence x° + x — 6 = 0 (mod 144)? 


11. 


Let a be an integer and p a prime such that (a, p) = 1. Use Hensel’s lemma to find a recursive 
formula for the solutions of the congruence ax = 1 (mod p*), for all positive integers k. 


a) Let f(x) be a polynomial with integer coefficients. Let p be a prime, k a positive integer, 
and j an integer such that k > 2j + 1. Let a be a solution of f(a) = 0 (mod p*), with 
p/ exactly dividing f’(a). Show that if b = a (mod p*—/), then f(b) = f(a) (mod p*), 
p! exactly divides f’(b), and there is a unique t modulo p such that f(a + tp*-/) = 
0 (mod p*t!), (Hint: Using a Taylor expansion, first show that f(a + tp*~/) = f(a) + 
tp*~J f'(a) (mod p**~*/).) 

b) Show that when the hypotheses of part (a) hold, the solutions of f (x) = 0 (mod p*) may 
be lifted to solutions of arbitrarily high powers of p. 


How many solutions are there to x? + x + 223 = 0 (mod 3/), where j is a positive integer? 
(Hint: First find the solutions modulo 3° and then apply Exercise 12.) 


Computations and Explorations 


1. 
2. 


Find all solutions of x* — 13x3 + 11x — 3=0 (mod 7%). 
Find all solutions of x? + 13x3 — x + 100,336 = 0 (mod 17). 
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Programming Projects 


1. Use Hensel’s lemma to solve congruences of the form f(x) = 0 (mod p”), where f(x) is a 
polynomial, p is prime, and n is a positive integer. 


4.5 Systems of Linear Congruences 


We will consider systems of more than one congruence that involve the same number 
of unknowns as congruences, where all congruences have the same modulus. We begin 
our study with an example. 


Suppose that we wish to find all integers x and y such that both of the congruences 
3x + 4y =5 (mod 13) 
2x + 5y =7 (mod 13) 


are satisfied. To attempt to eliminate y, we multiply the first congruence by 5 and the 
second by 4, to obtain 


15x + 20y = 25 (mod 13) 
8x + 20y = 28 (mod 13). 
We subtract the second congruence from the first, to find that 
7x = —3 (mod 13). 
Because 2 is an inverse of 7 (mod 13), we multiply both sides of the above congruence 
by 2. This gives 
2-7x = —2-3(mod 13), 


which tells us that 
x =7 (mod 13). 


Likewise, to eliminate x, we can multiply the first congruence by 2 and the second by 3 
(of the original system), to see that 


6x + 8y =10 (mod 13) 
6x + 15y = 21 (mod 13). 


When we subtract the first congruence from the second, we obtain 
Ty = 11 (mod 13). 


To solve for y, we multiply both sides of this congruence by 2, an inverse of 7 modulo 
13. We get 
2-7y =2-11 (mod 13), 
so that 
y =9 (mod 13). 
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What we have shown is that any solution (x, y) must satisfy 
x =7(mod 13), y=9(mod 13). 


When we insert these congruences for x and y into the original system, we see that these 
pairs actually are solutions: 


3x +4y =3-7+4-9=57=5 (mod 13) 
2x + 5y =2-74+5-9=59=7 (mod 13). 


Hence, the solutions of this system of congruences are all pairs (x, y) such that x = 
7 (mod 13) and y = 9 (mod 13). 


We now give a general result concerning certain systems of two congruences in two 
unknowns. (This result resembles Cramer’s rule for solving systems of linear equations.) 
Theorem 4.16. Let a,b,c, d,e, f, and m be integers with m > 0, and (A, m) = 1, 
where A = ad — bc. Then the system of congruences 

ax + by =e (mod m) 
cx + dy = f (modm) 
has a unique solution modulo m, given by 
x = A(de — bf)(mod m) 
y = A(af — ce) (mod m), 
where A is an inverse of A modulo m. 


Proof. To eliminate y, we multiply the first congruence of the system by d and the 
second by b, to obtain 


adx + bdy = de(mod m) 
bcx + bdy = bf (mod m). 


Then we subtract the second congruence from the first, to find that 
(ad — bc)x =de — bf (modm), 
or, because A = ad — be, 
Ax = de — bf (modm). 


Next, we multiply both sides of this congruence by A, an inverse of A modulo m, to 
conclude that 


x = A(de — bf) (mod m). 
In a similar way, to eliminate x, we multiply the first congruence by c and the second 
by a, to obtain 


acx + bcy = ce (mod m) 
acx + ady =af (modm). 
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We subtract the first congruence from the second, to find that 
(ad — bc)y =af — ce (mod m) 
or 
Ay =af —ce(modm). 
Finally, we multiply both sides of this congruence by A to see that 
y = A(af — ce) (mod m). 


We have shown that if (x, y) is a solution of the system of congruences, then 


x =A(de—bf)(modm), y= A(af —ce) (modm). 


We can easily check that any such pair (x, y) is a solution. When x = A(de — 
bf) (mod m) and y = A(af — ce) (mod m), we have 


ax + by =aA(de — bf) + bA(af — ce) 


and 
cx + dy =cA(de — bf) + dA(af — ce) 
= A(cde — bcf + adf — cde) 


This establishes the theorem. r 


By similar methods, we may solve systems of n congruences involving n unknowns. 
However, we will develop the theory of solving such systems, as well as larger systems, 
by methods taken from linear algebra. Readers unfamiliar with linear algebra may wish 
to skip the remainder of this section. 


Systems of n linear congruences involving n unknowns will arise in our subsequent 
cryptographic studies. To study such systems when n is large, it is helpful to use the 
language of matrices. We will use some of the basic notions of matrix arithmetic, which 
are discussed in most linear algebra texts. 


Before we proceed, we need to define congruences of matrices. 


Definition. Let A and B ben x k matrices with integer entries, with (i, jth entries a; j 


and b;;, respectively. We say that A is congruent to B modulo m if a;; = b;; (mod m) for 
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all pairs (i, 7) with 1<i<nand1< j <k. We write A = B (mod m) if A is congruent 
to B modulo m. 


The mawix congruence A = B (mod m) provides a succinct way of expressing the 
nk congruences a;; = bij (mod m) for1<i<nand1<j <k. 


Example 4.24. We easily see that 
sy 32) .f 4 3 
( 3 ee , (mod 11). P 


The following proposition will be needed. 


Theorem 4.17. If A and B aren x k matrices with A=B (mod m), C isak x p 
matrix, and D is a p x n mawix, all with integer entries, then AC = BC (mod m) and 
DA = DB (mod m). 


Proof. Letthe entries of A and B bea; r and b; a respectively, for 1 <i <nand1< j <k, 
and let the entries of C be Cij for 1 <i<kand1< j < p. The (i, j)th entries of AC and 
BC are yy aj,C,; and ye b;,C,;, respectively, for 1 <i <n and1< j < p. Because 
A = B (mod m), we know that a;, = b;, (mod m) for all i and k. Hence, by Theorem 4.4, 
we see that pe j4Cyj = ys b;,c,; (mod m). Consequently, AC = BC (mod m). 


The proof that DA = DB (mod m) is similar and is omitted. rT] 
Now let us consider the system of congruences 

Ay 1X1 + Ay2X2 + +++ + AjyX, = b; (mod m) 

a21X1 + a49Xx2 +--++ a2,)Xpn = by (mod m) 


Oni + AnaXQ + +++ + AnnXy = b, (mod m). 


Using matrix notation, we see that this system of n congruences is equivalent to the 
matrix congruence AX = B (mod m), where 


Qj, a2 «-. Ay xy b 

a a ... a x b 
A= 21 22 - 2n : X= 2 and B= i 

Gi Gp eo. Gyy 2, b, 


Example 4.25. The system 
3x + 4y = 5 (mod 13) 
2x + Sy =7 (mod 13) 


(2.5) (3)=(3) eau 


can be written as 
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We now develop a method for solving congruences of the form AX = B (mod m). 
This method is based on finding a matrix A such that AA = I (mod m), where I is the 
identity matrix. 


Definition. If A and A are n x n matrices of integers and AA =AA =I (mod m), 


10... O 
where I = : l ae o is the identity matrix of order n, then A is said to be an 
00... 1 


inverse of A modulo m. 


If A is an inverse of A and B=A (mod m), then B is also an inverse of A. This 
follows from Theorem 4.17, because BA = AA =I (mod m). Conversely, if B,; and B, 
are both inverses of A, then B; = B, (mod m). To see this, using Theorem 4.17 and 
the congruence B,A = B,A =I (mod m), we have B,AB, = B,AB, (mod m). Because 
AB, =I (mod m), we conclude that B, = B, (mod m). 


Example 4.26. Given that 


(2 2)(¢ 2)=(t0 6) 
OCC B)-(58) ows 


4\. . 1 3 
y) is an inverse of ( 7 > modulo 5. < 


Il 
fo 
or 
= © 
Nee” 
oN 
B 
o) 
[on 
1o | 
Nee 


and 


we see that the matrix ( : 


The following proposition gives an easy method for finding inverses for 2 x 2 
matrices. 


Theorem 4.18. Let A= (< 3 be a matrix of integers, such that A = det A= 


ad — bc is relatively prime to the positive integer m. Then the matrix 


A=B( 4 a) 
=C a 


where A is the inverse of A modulo m, is an inverse of A modulo m. 


Proof. To verify that the matrix A is an inverse of A modulo m, we need only verify 
that AA = AA =I (mod m). 


To see this, note that 
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—~ (a b\~(d -b\ _~([ad-bc 0 
aK=(¢ a, 7?) =a( 0 a) 


~({(A 0 AA 0 1 0 
=3(5 a)=(% aa )=(q 1) =¥ (mod m 


and 
—-, ~{d -—-b a b\ _~f[ad-—pbce 0 
aad ( 4. aye 7) =3( 0 ee 
_7(A 0\_(AA 0)\_f1 0\_ 
=4(4 a) =( 0 ar )=(q 1) =H nod), 
where A is an inverse of A (mod m), which exists because (A, m) = 1. = 


Example 4.27. Let A= ( aoe } Because 2 is an inverse of det A= 7 modulo 13, 


2 5 
10 -8\ (10 5 
& ae: g ) (enod 13). 


za5{5 -4 
K=2(% ) 


To provide a formula for an inverse of ann x n matrix, where n is a positive integer 
greater than 2, we need a result from linear algebra. It involves the notion of the adjoint 
of a matrix, which is defined as follows. 


we have 


Definition. The adjoint of ann x n matrix A is the n x n matrix with (i, j)th entry 
Cji, where C;; is (— 1)'+/ times the determinant of the matrix obtained by deleting the 
ith row and jth column from A. The adjoint of A is denoted by adj (A), or simply adj A. 


Theorem 4.19. If A is ann xn matrix with det A + 0, then A (adj A) = (det ADI, 
where adj A is the adjoint of A. 


Using this theorem, the following theorem follows readily. 


Theorem 4.20. If A is ann x n matrix with integer entries and m is a positive integer 
such that (det A, m) = 1, then the matrix A = A (adj A) is an inverse of A modulo m, 
where A is an inverse of A = det A modulo m. 


Proof. If (det A, m) = 1, then we know that det A 4 0. Hence, by Theorem 4.19, we 
have 


A (adj A) = (det A)I = AI. 


Because (det A, m) = 1, there is an inverse A of A = det A modulo m. Hence, 


A(A adj A) =A- (adjA)A = AAT =I (mod m), 
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and 
A (adj A)A = A ((adj AJA) = AAI =I (mod m). 
This shows that A = A (adj A) is an inverse of A modulo m. | 
2 5 6 
Example 4.28. Let A=] 2 O 1 ]. Then det A=-—5. Furthermore, we have 
L 2 3 
(det A, 7) = 1, and we see that 4 is an inverse of det A = —5 (mod 7). Consequently, we 
find that 
_ —2 -3 5 —-8 -12 20 6. 2-6 
A=4(adjA)=47-5 0O 10 | =f —20 0 40 }={—1 O 5 | (mod7). 
4 1 -10 16 4 —40 2 AD 


< 


We can use an inverse of A modulo m to solve the system 
AX = B (mod m), 


where (det A, m) = 1. By Theorem 4.17, when we multiply both sides of this congruence 
by an inverse A of A, we obtain 


A(AX) = AB (mod m) 
(AA)X = AB (mod m) 
X = AB (mod m). 
Hence, we find the solution X by forming AB (mod m). 
Note that this method provides another proof of Theorem 4.16. To see this, let 
AX = B, where A = (< A) X= e and B = cy If A = det A =ad — be 


is relatively prime to m, then 


eG ge ee od 2D e\ -—/(de-—bf 
(2)=xetoez( 4 7) (4)=5(%7%) tootm, 


This demonstrates that (x, y) is a solution if and only if 


x =A(de—bf)(modm), y= A(af —ce) (modm). 


Next, we give an example of the solution of a system of three congruences in three 
unknowns using matrices. 


Example 4.29. We consider the system of three congruences 
2x, + 5x2 + 6x3 = 3 (mod 7) 
2x; + x3 = 4 (mod 7) 
X, + 2x + 3x3 = 1 (mod 7). 
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This is equivalent to the matrix congruence 


2 5 6 xj 3 
20 1/1x 4 | (mod 7). 
12 3) \x, 1 

2 6 

0 5 

4 2 


We have previously shown that the matrix | 1 


(mod 7). Hence, we have 


xy 6 2 6 3 32 4 
x» t=][1 0°55 47/=] 8 |={ 1] (mod7). 
X3 24 2 1 24 3 < 


Before leaving this subject, we should mention that many methods for solving sys- 
tems of linear equations may be adapted to solve systems of congruences. For instance, 
Gaussian elimination may be adapted to solve systems of congruences, where division 
is always replaced by multiplication by inverses modulo m. Also, there is a method for 
solving systems of congruences analogous to Cramer’s rule. We leave the development 
of these methods as exercises for those readers familiar with linear algebra. 


EXERCISES 


. Find the solutions of each of the following systems of linear congruences. 


a) x +2y =1(mod 5) b) x + 3y =1 (mod 5) c) 4x + y =2 (mod 5) 
2x + y =1(mod 5) 3x + 4y =2 (mod 5) 2x + 3y = 1(mod 5) 
. Find the solutions of each of the following systems of linear congruences. 
a) 2x + 3y =5 (mod 7) b) 4x + y =5 (mod 7) 
x + Sy = 6 (mod 7) x + 2y =4 (mod 7) 


. What are the possibilities for the number of incongruent solutions of the system of linear 


congruences 
ax + by =c (mod p) 
dx + ey =f (mod p), 


where p is a prime and a, b, c, d, e, and f are positive integers? 


2.4 4 0 
ca(? 2)(4 9) cous 


and all entries of C are nonnegative integers less than 5. 


. Find the matrix C such that 


. Use mathematical induction to prove that if A and B are n x n matrices with integer entries 


such that A = B (mod m), then A‘ = BF (mod m) for all positive integers k. 


A matrix A # I is called involutory modulo m if A? =I (mod m). 
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6. Show that a as ) is involutory modulo 26. 
7. Prove or disprove that if A is a2 x 2 involutory matrix modulo m, then det A = +1 (mod m). 


8. Find an inverse modulo 5 of each of the following matrices. 
0 1 1 2 2 2 
o(t 0) (3 4) 9 (4 3) 


9. Find an inverse modulo 7 of each of the following matrices. 


110 123 110 
o(1 03] »(1 25] 
011 1 4 6 


10. Using Exercise 9, find all the solutions of each of the following systems. 
a) x + y =1(mod7) b) x +2y + 3z = 1 (mod 7) c) x +y+z=1(mod7) 
x +z =2 (mod 7) x +2y +5z =1 (mod 7) x+y+w=1(mod7) 
y +z =3 (mod 7) x +4y + 6z =1(mod7) x+z+w =1(mod7) 
y+z+w=1(mod7) 


ore == 
—=—=— © — 


1 1 
0 1 
1 1 


11. How many incongruent solutions does each of the following systems of congruences have? 
a) x+ y+ z=1(mod5) c) 3x+ y+3z=1(mod 5) 
2x + 4y + 3z = 1 (mod 5) x +2y + 4z =2 (mod 5) 
4x + 3y + 2z =3 (mod 5) 


b) 2x +3y+ z=3 (mod 5) d) 2x+ y+ z=1(mod5) 
x +2y + 3z =1 (mod 5) x+2y+ z=1(mod 5) 
2x + z=1(mod5) x+ y+2z=1(mod 5) 


* 12. Develop an analogue of Cramer’s rule for solving systems of n linear congruences in n 
unknowns. 


* 13. Develop an analogue of Gaussian elimination to solve systems of n linear congruences in m 
unknowns (where m and n may differ). 


C) A magic square is a square array of integers with the property that the sum of the integers in a 
row or in a column is always the same. In this exercise, we present a method for producing magic 
squares. 


* 14, Show that the n? integers 0, 1,..., 7 — 1 are put into the n? positions of ann x n square, 
without putting two integers in the same position, if the integer k is placed in the ith row and 
jth column, where 


i=a+ck-+e[k/n] (modn), 
j=b+dk+ f[k/n] (mod n), 


1<i<n,1<j <n, anda, b,c, d,e, and f are integers with (cf — de, n) = 1. 


* 15. 
* 16. 
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Show that a magic square is produced in Exercise 14 if (c, n) = (d, n) = (e, n) = (f,n) =1. 


The positive and negative diagonals of ann x n square consist of the integers in positions 
(i, j), where i + j =k (mod n) and i — j =k (mod 7n), respectively, where k is a given 
integer. A square is called diabolic if the sum of the integers in a positive or negative diagonal 
is always the same. Show that a diabolic square is produced using the procedure given in 
Exercise 14 if (c +,d,n) =(c—d,n)=(e+ f,n)=(e-—f,n=1. 


Computations and Explorations 


1, 


Produce 4 x 4, 5 x 5, and 6 x 6 magic squares. 


Programming Projects 


1. 


2. 


3 
4 
5 


6. 


4.6 


Find the solutions of a system of two linear congruences in two unknowns using Theorem 
4.15. 


Find inverses of 2 x 2 matrices using Theorem 4.17. 
Find inverses of n x n matrices using Theorem 4.19. 
Solve systems of n linear congruences in n unknowns using inverses of matrices. 


Solve systems of n linear congruences in n unknowns using an analogue of Cramer’s rule 
(see Exercise 12). 


Solve systems of n linear congruences in m unknowns using an analogue of Gaussian 
elimination (see Exercise 13). 


Given a positive integer, produce ann x n magic square by the method given in Exercise 14. 


Factoring Using the Pollard Rho Method 


In this section, we will describe a factorization method based on congruences that was de- 
veloped in 1974 by J. M. Pollard. Pollard called this technique the Monte Carlo method, 
because it relies on generating integers that behave as though they were randomly chosen; 
it is now commonly known as the Pollard rho method, for reasons that will be explained. 


Suppose that n is a large composite integer and that p is its smallest prime divisor. 
Our goal is to choose integers xg, x), ... , X, sO that these integers have distinct least 
nonnegative residues modulo n, but where their least nonnegative residues modulo p are 
not all distinct. As can be seen using probabilistic arguments (see [Ri94]), this is likely 
to be the case when s is large compared to ./p but small when compared to ./n, and the 
numbers are chosen randomly. 


Once we have found integers x; and x fs 0 <i < j <s, such that x; =x j (mod p) 
but x; #x,; (mod n), it follows that (x; — x;, 7) is a nontrivial divisor of n, as p divides 
x; — xj, but n does not. The number (x; — x,;,) can be found quickly using the 
Euclidean algorithm. However, to find (x; — x n) foreachpair (i, j) withhO<i<j<s 
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requires that we find O(s”) greatest common divisors. We will show how to reduce the 
number of times we must use the Euclidean algorithm. 


To find such integers x; and x ;, we use the following procedure: We start with a seed 
value x that is chosen randomly and a polynomial function f (x) with integer coefficients 
of degree greater than 1. We compute the terms x;,, k = 1, 2, 3, ... , using the recursive 
definition 


X41 = FS (x) (mod n), 0 < X41 <0. 


The polynomial f (x) should be chosen so that the probability is high that a suitably large 
number of integers x; are generated before they repeat. Empirical evidence indicates 
that the polynomial f(x) = x? + 1 performs well for this test. The following example 
illustrates how this sequence is generated. 


Example 4.30. Let = 8051, and suppose that xy = 2 and f (x) = x? + 1. We find that 
X, =5, x2 = 26, x3 = 677, x4 = 7474, x5 = 2839, x6 = 871, and so on. < 


Now, note that by the recursive definition of x;,, it follows that if 
xX, = xj (mod da), 
where d is a positive integer, then 


X41 = f (;) = f (xj) =x;41 (mod d). 


It follows that if x; = x; (mod d), then the sequence x, becomes periodic modulo d with 
a period dividing j — i. That is, x, = x, (mod d) whenever q =r (mod j — i), andg >i 
and r > i. It follows that if s is the smallest multiple of j — i that is at least as large as 
i, then x, =X», (mod d). 


It follows further that to look for a factor of n, we find the greatest common divisor 
of x2, — x, and n for k = 1, 2, 3, .... We have found a factor of n when we have found 
a value k for which 1 < (x2, — x,, n) <n. From our observations, we see that it is likely 
that we will find such an integer k with k close to ,/p. 


In practice, when the Pollard rho method is used, the polynomial f (x) = x? + Lis 
often chosen to generate the sequence of integers xo, x;,X2,...,X,, . . - - Furthermore, 
the seed xg = 2 is often used. This choice of polynomial and seed produces a sequence 
that behaves much like a random sequence for the purposes of this factorization method. 


Example 4.31. We use the Pollard rho method with seed x9 = 2 and generator poly- 
nomial f(x) =x? +1 to find a nonwivial factor of n = 8051. We find that x,=5, 
X7 = 26, x3 = 677, x4 = 7474, x5 = 2839, x6 = 871. Using the Euclidean algorithm, it 
follows that (x2 — x), 8051) = (26 — 5, 8051) = (21, 8051) = 1 and (x4 — x2, 8051) = 
(7474 — 26, 8051) = (7448, 8051) = 1. However, we find a nontrivial factor of 8051 at 
the next step, as (%_ — x3, 8051) = (871 — 677, 8051) = (194, 8051) = 97. We see that 
97 is a factor of 8051. < 
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X = 26 


X3 = 677 = 95 (mod 97) 


x, =5 
X, = 7474 = 5 (mod 97) 


Figure 4.1 The Pollard rho method. 


To see why this method is called the Pollard rho method, look at Figure 4.1. 
This figure shows the periodic behavior of the sequence x;, where xg = 2 and x;,, = 
a + 1 (mod 97), i = 1. The part of this sequence that occurs before the periodicity is the 
tail of the rho, and the loop is the periodic part. 


The Pollard rho method has proved to be practical for the factorization of integers 
with moderately large prime factors. In practice, the first attempt to factor a large integer 
is to do trial division by small primes, say, by all primes less than 10,000. Next, the 
Pollard rho method is used to look for prime factors of intermediate size (up to 10!5, 
for instance). Only after tial division by small primes and the Pollard rho method have 
failed are the really big guns brought in, such as the quadratic sieve or the elliptic curve 
method. 


EXERCISES 


. Use the Pollard rho method with xp = 2 and f (x) = x? + 1 to find the prime factorization of 


each of the following integers. 


a) 133 c) 1927 e) 36,287 
b) 1189 d) 8131 f) 48,227 
. Use the Pollard rho method to factor the integer 1387, with the following seeds and generating 
polynomials. 
a) Xp =2, f(x) =x74+1 C) xp =2, f(x) =x?-1 
b) x9 =3, f(x) =x741 d) xo =2, f(x) =x3+x+1 


. Explain why the choice of f(x) as a linear polynomial, that is, a function of the form 


f (x) =ax + b, where a and b are integers, is a poor choice. 
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Computations and Explorations 

1. Use the Pollard rho method to factor ten different integers that have between 15 and 20 decimal 
digits. 

2. Use the Pollard rho method to factor a large number of integers that are close to 100,000, 


keeping track of the number of steps required. Can you make any conjectures based on your 
data? 


3. Factor 2°8 + 1 using the Pollard rho method. 


Programming Projects 


1. Given a positive integer n, find a prime factor of this integer using the Pollard rho method. 


5.1 


5 Applications of Congruences 


ongruences have diverse applications. We have already seen some examples of 

this, such as in Section 4.3, where we saw how large integers can be multiplied 
on a computer using congruences. This chapter covers a wide variety of interesting 
applications of congruences. First, we will show how congruences can be used to develop 
divisibility tests, such as the simple tests you may already know for checking whether an 
integer is divisible by 3 or by 9. Next, we will develop a congruence that determines the 
day of the week for any date in history. Then, we will show how congruences can be used 
to schedule round-robin tournaments. We will discuss some applications of congruences 
in computer science; for example, we will show how congruences are used in hashing 
functions, which themselves have many applications, such as determining computer 
memory locations where data is stored. Finally, we will show how congruences can 
be used to construct check digits, which are used to determine whether an identification 
number has been copied in error. 


In subsequent chapters, we will discuss additional applications of congruences. For 
example, in Chapter 8, we will show how congruences can be used in different ways to 
make messages secret, and in Chapter 10, we will show how congruences can be used 
to generate pseudorandom numbers. 


Divisibility Tests 


You may have learned in primary school that to check whether an integer is divisible by 
3, you need only check whether the sum of its digits is divisible by 3. This is an example 
of a divisibility test that uses the digits of an integer to check whether it is divisible 
by a particular divisor, without actually dividing the integer by that possible divisor. 
In this section, we will develop the theory behind such tests. In particular, we will use 
congruences to develop divisibility tests for integers based on their base b expansions, 
where b is a positive integer. Taking b = 10 will give us the well-known tests for checking 
integers for divisibility by 2, 3, 4, 5, 7, 9, 11, and 13. Although you may have learned 
these divisibility tests a long time ago, you will learn why they work here. 


Divisibility by Powers of 2 First, we develop tests for divisibility by powers of 2. 
Let n = 32,688,048. It is easy to see that n is divisible by 2 since its last digit is even. 
Consider the following questions. Does 2” = 4 divide n? Does 23 = 8 divide n? Does 
2* = 16 divide n? What is the highest power of 2 that divides n? We will develop a test 
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that does not require that we actually divide n by 4, 8, and successive powers of 2, which 
answers these questions. 


In the following discussion, let n = (a,ay_,...4@)19. Then n =a,10*+ 
a,_10°! + --- +.a,10 + ao, with O <a; <9 for j =0,1,2,...,k. 


Because 10 = 0 (mod 2), it follows that 10/ = 0 (mod 2/) for all positive integers j. 
Hence, 
n = (4o)19 (mod 2), 
n = (a1) 19 (mod 27), 


r= (aya1a9) 10 (mod 23), 


= k 
r= (az_1Qz_2 ye A419) 10 (mod 2 ). 


These congruences tell us that to determine whether an integer n is divisible by 2, we 
only need to examine its last digit for divisibility by 2. Similarly, to determine whether 
n is divisible by 4, we only need to check the integer made up of the last two digits of 
n for divisibility by 4. In general, to test n for divisibility by 2/, we only need to check 
the integer made up of the last j digits of n for divisibility by 2/. 


Example 5.1. Let m = 32,688,048. We see that 2|n because 2| 8, 4| 7 because 
4 | 48, 8 | n because 8 | 48, 16 | m because 16 | 8048, but 32 / n since 32 / 88,048. < 


Divisibility by Powers of 5 Next, we develop divisibility tests for powers of 5. 


To develop tests for divisibility by powers of 5, first note that because 
10 = 0 (mod 5), we have 10/ = 0 (mod 5/). Hence, divisibility tests for powers of 5 
are analogous to those for powers of 2. We only need to check the integer made up of 
the last j digits of n to determine whether n is divisible by 5/. 


Example 5.2. Letn = 15,535,375. Because 5 | 5, 5 | n, because 25 | 75, 25 | n, because 
125 | 375, 125 | n, but because 625 / 5375, 625 J n. < 


Divisibility by 3 and 9 Next, we develop tests for divisibility by 3 and by 9. 


Note that both the congruences 10 = 1 (mod 3) and 10 = 1 (mod 9) hold. Hence, 
10* = 1 (mod 3) and 10‘ = 1 (mod 9). This gives us the useful congruences 
(A,az_1* + *A4AQ)19 = a,10* + a,_ 10°} +-+-+a,10+ a) 
= a, + ay_) +++- +a, +d (mod 3) and (mod 9). 


Hence, we only need to check whether the sum of the digits of 2 is divisible by 3, or by 
9, to see whether n is divisible by 3, or by 9, respectively. 


Example 5.3. Let n = 4,127,835. Then, the sum of the digits of n is4+1+2+7+ 
8+3+5 = 30. Because 3 | 30 but 9 / 30, 3 |” but 9 fn. < 
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Divisibility by 11. A rather simple test can be found for divisibility by 11. 
Because 10 = —1 (mod 11), we have 
(Ayax_1 - - -@4d9)19 = a,10* + a,_,10*~! +--+-+a,10+d9 
= ay(—1)* + ag_,(—1)*! +--+ — a, + ag (mod 11). 


This shows that (a,a;_1 . . . @jaq) 19 is divisible by 11 if and only ifa@yg — ay tay —---+ 
(—1)*a,, the integer formed by alternately adding and subtracting the digits, is divisible 
by 11. 


Example 5.4. We see that 723,160,823 is divisible by 11, because alternately adding 
and subtracting its digits yields 3-2+8-—0+6-—1+3-—2+7= 22, which is di- 
visible by 11. On the other hand, 33,678,924 is not divisible by 11, because 4 — 2 + 9 — 
8+7-—6+4+3-3= 4 is not divisible by 11. < 


Divisibility by 7, 11, and 13 Next, we develop a test to simultaneously check for 
divisibility by the primes 7, 11, and 13. 


Note that 7 - 11- 13 = 1001 and 10? = 1000 = —1 (mod 1001). Hence, 


(Ayay_1 fey a0) 10 => a,,10* + G@e310-* treet a,10 + ag 
= (ap + 10a; + 10045) + 1000(a3 + 10a4 + 100as) 


+ (1000)?(ag + 10a, + 100ag) + --- 
= (100a, + 10a; + ag) — (100a5 + 10a, + a3) 
+ (100ag + 10a7 + dag) —-:- 
= (4741A9) 19 — (454403)19 + (Aga74g)19 — --- (mod 1001). 


This congruence tells us that an integer is congruent modulo 1001 to the integer formed 
by successively adding and subtracting the three-digit integers with decimal expansions 
formed from successive blocks of three decimal digits of the original number, where 
digits are grouped starting with the rightmost digit. As a consequence, because 7, 11, 
and 13 are divisors of 1001, to determine whether an integer is divisible by 7, 11, or 13, 
we only need to check whether this alternating sum and difference of blocks of three 
digits is divisible by 7, 11, or 13. 


Example 5.5. Let n = 59,358,208. Because the alternating sum and difference of the 
integers formed from blocks of three digits, 208 — 358 + 59 = —91, is divisible by 7 and 
13, but not by 11, we see that n is divisible by 7 and 13, but not by 11. < 


Another way to test for divisibility by 7, 11, 13, or indeed, any integer relatively 
prime to 10, is developed in the exercises. 


Divisibility Tests Using Base b Representations All of the divisibility tests we have 
developed thus far are based on decimal representations. We now develop divisibility 
tests using base b representations, where b is a positive integer. 
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Theorem 5.1. Ifd | b and j and k are positive integers with j < k, then (a; - - - aja), 
is divisible by d/ if and only if (a;_1 - - - aa), is divisible by d/. 


Proof. Because b = 0 (mod a), it follows that b/ = 0 (mod d/). Hence, 
(Apag_1*+*@4A9)p =a,b* +... + a,b! + a,b) +:+++a,;b+a9 
=a,;_\bl"!+---+ayb +a 
= (aj_1 +++ 4a), (mod d/). 
Consequently, d/ | (ayay_,- + +19), if and only if d/ | (a;_1 -- + ajaq)p. = 
Theorem 5.1 extends to other bases the divisibility tests of integers expressed in 
decimal notation by powers of 2 and by powers of 5. 
Theorem 5.2. Ifd|(b — 1), thenn = (a; . . . ajdo),, is divisible by d if and only if the 
sum of digits a, + --- + a, + dg is divisible by d. 


Proof. Because d | (b — 1), we have b = 1 (mod d), so that by Theorem 4.8 we have 
bi = 1(mod d) for all positive integers j. Hence, n = (a, .. . @jao)p = ayb* +--+ + 
a,b + dg =a, ++ +++ a, +a (mod d). This shows that d | n if and only if d | (a, + 
-+++4@,+ do). rT 

Theorem 5.2 extends to other bases the tests for divisibility of integers expressed in 
decimal notation by 3 and by 9. 


Theorem 5.3. Ifd|(b+ 1), thenn = (q . . . aja), is divisible by d if and only if the 


alternating sum of digits (—1)*a, + - - - — a, + ag is divisible by d. 

Proof. Because d | (b + 1), we have b = —1 (mod d). Hence, b/ = (—1)/ (mod d), and 
consequently, n = (a, .. . aya9), = (—1)*a, + --- — ay + ag (mod d). Hence, d | n if 
and only if d | ((—1)*a, + --- — a, + ap). is 


Theorem 5.3 extends to other bases the test for divisibility by 11 of integers expressed 
in decimal notation. 


Example 5.6. Let = (7F28A6)j¢ (in hex notation). Here, the base is b = 16. Because 
2 | 16, we can apply Theorem 5.1 to test for divisibility by powers of 2. We see that 2 | n 
because 2 divides the last digit 6. But 22 = 4 does not divide n, because 4 / (A6) 16 = 
(166) 0. 


Because b — 1= 15=3-5, wecanapply Theorem 5.2, to test for divisibility by 3, 5, 
and 15. Note that the sum of the digits of is 7+ F+2+8+A+6= (30)16 = (48). 
Because 3 | 48, but 5 / 48 and 15 / 48, Theorem 5.2 tells us that 3|, but 5 /n and 
15 Jn. 


Because b + 1= 17, we can apply Theorem 5.3 to test for divisibility by 17. Note 
the alternating sum of the digits is 6 - A + 8 —2+F—7= (A)j¢ = (10)19. Because 
17 ¥ 10, Theorem 5.3 tells us that 17 Jn. < 


Example 5.7. Let n = (1001001111). Then, using Theorem 5.3 we see that 3|n, 
becausen = 1—14+1-—1+0-—0+1-—0+0-1=0 (mod 3) and 3| (2 + 1). < 
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5.1 EXERCISES 


1. Determine the highest power of 2 that divides each of the following positive integers. 


a) 201,984 b) 1,423,408 c) 89,375,744 d) 41,578,912,246 
2. Determine the highest power of 5 that divides each of the following positive integers. 
a) 112,250 b) 4,860,625 c) 235,555,790 d) 48, 126,953,125 
3. Which of the following integers are divisible by 3? Of those that are, which are divisible 
by 9? 
a) 18,381 b) 65,412,351 c) 987,654,321 d) 78,918,239,735 


4. Which of the following integers are divisible by 11? 
a) 10,763,732 b) 1,086,320,015 = c) 674,310,976,375 d) 8,924,310,064,537 


5. Find the highest power of 2 that divides each of the following integers. 
a) (101111110), ~—_b) (1010000011), +c) (111000000). = d) (1011011101), 


= 


Determine which of the integers in Exercise 5 are divisible by 3. 


7. Which of the following integers are divisible by 2? 
a) (1210122)3 b) (211102103 ~=c) (1112201112), = d) (10122222011101), 


8. Which of the integers in Exercise 7 are divisible by 4? 


9. Which of the following integers are divisible by 3, and which are divisible by 5? 
a) (3EA235)1¢6 b) (ABCDEF),, —c) (F117921173);¢ d) (10AB987301F)1¢ 


10. Which of the integers in Exercise 9 are divisible by 17? 


OC) A repunit is an integer with decimal expansion containing all 1s. 

11. Determine which repunits are divisible by 3, and which are divisible by 9. 

12. Determine which repunits are divisible by 11. 

13. Determine which repunits are divisible by 1001. Which are divisible by 7? by 13? 


14. Determine which repunits with fewer than 10 digits are prime. 
A base b repunit is an integer with base b expansion containing all 1s. 
15. Determine which base b repunits are divisible by factors of b — 1. 


16. Determine which base b repunits are divisible by factors of b + 1. 


A base b palindromic integer is an integer whose base b representation reads the same 
forward and backward. 


17. Show that every decimal palindromic integer with an even number of digits is divisible 


by 11. 


e 


18. Show that every base 7 palindromic integer with an even number of digits is divisible by 8. 
19 


e 


Develop a test for divisibility by 37, based on the fact that 10° = 1 (mod 37). Use this to check 
443,692 and 11,092,785 for divisibility by 37. 


196 


Applications of Congruences 


20. Devise a test for integers represented in base b notation to check for divisibility by n, where 
n is a divisor of b” + 1. (Hint: Split the digits of the base b representation of the integer into 
blocks of two, starting on the right.) 


21. Use the test that you developed in Exercise 20 to decide whether 
a) (101110110), is divisible by 5. 
b) (12100122), is divisible by 2, and whether it is divisible by 5. 
c) (364701244) is divisible by 5, and whether it is divisible by 13. 
d) (5837041320219) 49 is divisible by 101. 


22. Anold receipt has faded. It reads 88 chickens at a total of $x4.2y, where x and y are unreadable 
digits. How much did each chicken cost? 


23. Use a congruence modulo 9 to find the missing digit, indicated by a question mark: 89,878 - 
58,965 = 5299 ? 56270. 


24. Suppose that n = 31,888,X74, where X is a missing digit. Find all possible values of X so 
that n is divisible by each of these integers: 
a) 2 c)4 e)9 
b) 3 d) 5 f) 11 


25. Suppose that n = 917,4X 8,835, where X is a missing digit. Find all possible values of X so 
that n is divisible by each of these integers: 
a) 2 c)5 e) 11 
b) 3 d)9 f) 25 


We can check a multiplication c = ab by determining whether the congruence c = ab (mod m) is 
valid, where m is any modulus. If we find that c is not congruent to ab modulo m, then we know 
that an error has been made. When we take m = 9 and use the fact that an integer in decimal 
notation is congruent modulo 9 to the sum of its digits, this check is called casting out nines. 


26. Check each of the following multiplications by casting out nines. 
a) 875,961 - 2753 = 2,410,520,633 
b) 14,789 - 23,567 = 348,532,367 
c) 24,789 - 43,717 = 1,092,700,713 


27. Is a check of a multiplication by casting out nines foolproof? 


28. What combinations of digits of a decimal expansion of an integer are congruent to this integer 
modulo 99? Use your answer to devise a check for multiplication based on casting out ninety- 
nines. Then use the test to check the multiplications in Exercise 26. 


29. In this exercise, we develop a general approach for constructing divisibility tests. Suppose 
that n = (a,ay_}...a@Ag)9 and d is a positive integer with (d, 10) = 1. First, show that if 
e is an inverse of 10 modulo d, then d | n if and only if d | n’ = (n — ag)/10 + eag. Use 
this fact to show that we can determine whether n is divisible by d by forming the sequence 
n,n’, (n’)’, ..., until we reach a term that we can examine by hand to determine whether it 
is divisible by d. 


30. Use Exercise 29 to develop a test for divisibility by each of these integers: 
a) 7 b) 11 c) 17 d) 23 


31. 


32. 


33. 
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Use Exercise 29 to develop a test for divisibility by each of these integers: 

a) 13 b) 19 c) 21 d) 27 

Use the tests you developed in Exercise 30 to determine which of 7, 11, 17, and 23 divide 
these numbers. 

a) 851 b) 8,694 c) 20,493 d) 558,851 

Use the tests you developed in Exercise 31 to determine which of 13, 19, 21, and 27 divide 
these numbers. 

a) 798 b) 2,340 c) 34,257 d) 348,327 


Computations and Explorations 


ie 


Determine whether the repunit with n digits is prime, where 7 is a positive integer not 
exceeding 30. Can you go further? 


Programming Projects 


1. Given a positive integer n, determine the highest powers of 2 and of 5 that divide n. 


5.2 


. Given a positive integer n, test n for divisibility by 3, 7, 9, 11, and 13. (Use congruences 


modulo 1001 for divisibility by 7 and 13.) 


. Given a positive integer n, determine the highest power of each factor of b that divides an 


integer from the base b expansion of n. 


. Given a positive integer n and a base 5, use the base b expansion of n to determine whether 


it is divisible by factors of b — 1 and of b + 1. 


The Perpetual Calendar 


In this section, we derive a formula that gives us the day of the week of any day of any 
year. Because the days of the week form a cycle of length seven, we use a congruence 
modulo 7. We denote each day of the week by a number in the set 0, 1, 2, 3, 4, 5, 6, 
setting 


¢ Sunday = 0, ¢ Wednesday = 3, ¢ Saturday = 6. 
¢ Monday = 1, © Thursday = 4, 
¢ Tuesday = 2, * Friday =5, 


Julius Caesar changed the Egyptian calendar, which was based on a year of exactly 
365 days, to a new calendar, called the Julian calendar, with a year of average length 
365 1/4 days, with leap years every fourth year, to better reflect the true length of the 
year. However, more recent calculations have shown that the true length of the year is 
approximately 365.2422 days. As the centuries passed, the discrepancies of 0.0078 days 
per year added up, so that by the year 1582 approximately 10 extra days had been added 
unnecessarily in leap years. To remedy this, in 1582 Pope Gregory set up a new calendar. 
First, 10 days were added to the date, so that October 5, 1582, became October 15, 1582 
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(and the 6th through the 14th of October were skipped). It was decided that leap years 
would be precisely the years divisible by 4, except that those exactly divisible by 100, 
the years that mark centuries, would be leap years only when divisible by 400. As an 
example, the years 1700, 1800, 1900, and 2100 are not leap years, but 1600 and 2000 
are. With this arrangement, the average length of a calendar year became 365.2425 days, 
rather close to the true year of 365.2422 days. An error of 0.0003 days per year remains, 
which is 3 days per 10,000 years. In the future, this discrepancy will have to be accounted 
for, and various possibilities have been suggested to correct for this error. 


In dealing with calendar dates for various parts of the world, we must also take into 
account the fact that the Gregorian calendar was not adopted everywhere in 1582. In 
Britain and what is now the United States, the Gregorian calendar was adopted only in 
1752, and by then it was necessary to add 11 days. In these places September 3, 1752, 
in the Julian calendar became September 14, 1752, in the Gregorian calendar. Japan 
changed over in 1873, Russia and nearby countries in 1917, while Greece held out until 
1923. 


We now set up our procedure, called the perpetual calendar, for finding the day of the 
week for a given date in the Gregorian calendar. We first must make some adjustments, 
because the extra day in a leap year comes at the end of February. We take care of this 
by renumbering the months, starting each year in March, and considering the months 
of January and February part of the preceding year. For instance, February 2000 is 
considered the twelfth month of 1999, and May 2000 is considered the third month 
of 2000. With this convention, for the day of interest, let 


¢ k = day of the month, 


¢ m = month, 


with 
January = 11 May = 3 September = 
February = 12 June = 4 October = 8 
March = 1 July = 5 November = 9 
April = 2 August = 6 December = 10 
e N = year, 


where N is the current year unless the month is January or February in which case 
N is the previous year, and where N = 100C + Y, where 


¢ C = century, 
e Y = particular year of the century. 


Example 5.8. For the date April 3, 1951, we have k = 3, m = 2, N = 1951, C = 19, 
and Y = 51. But note that for February 28, 1951, we have k = 28, m = 12, N = 1950, 
C = 19, and Y = 50, because, for our calculations, we consider February to be the twelfth 
month of the previous year. < 


We use March 1 of each year as our basis. Let dy represent the day of the week of 
March 1 in year N. We start with the year 1600, and compute the day of the week March 
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1 falls on in any given year. Note that between March 1 of year N — 1 and March 1 of 
year N, if year N is nota leap year, 365 days have passed; and because 365 = 1 (mod 7), 
we see that dy =dy_,+ 1 (mod 7), whereas if year N is a leap year, because there is 
an extra day between the consecutive firsts of March, we see that 


dy =dy_, +2 (mod 7). 


Hence, to find dy from d¢99, we must first find out how many leap years have occurred 
between the year 1600 and the year N (not including 1600, but including N); let us 
call this number x. To compute x, first note that by the division algorithm there are 
[(N — 1600)/4] years divisible by 4 between 1600 and N, there are [(N — 1600)/100] 
years divisible by 100 between 1600 and N, and there are [(N — 1600)/400] years 
divisible by 400 between 1600 and NV. Hence, 
x =[(N — 1600)/4] — [(N — 1600)/100] + [(NV — 1600)/400] 
= [N/4] — 400 — [N/100] + 16 + [N/400] — 4 
= [N/4] — [N/100] + [N/400] — 388. 
(We have used the identity from Example 1.4 to simplify this expression.) Putting this 
in terms of C and Y, we see that 
x =[25C + (¥/4)]— [C + (¥/100)] + [(C/4) + (Y/400)] — 388 
= 25C + [Y/4] — C + [C/4] — 388 
= 3C + [C/4] + [Y/4] — 3 (mod 7). 
Here we have again used the identity from Example 1.4, the inequality Y/100 < 1, and 


the equation [(C/4) + (Y/400)] = [C/4] (which follows from Exercise 27 of Section 
1.5, because Y/400 < 1/4). 


We can now compute dy from dj¢99 by shifting d1¢99 by one day for every year that 
has passed, plus an extra day for each leap year between 1600 and N. This gives the 
following formula: 


dy = di6o00 + N — 1600+ x 
= dj6o9 + 100C + Y — 1600 + 3C + [C/4] + [Y/4] — 3 (mod 7). 
Simplifying, we have 
dy = digo9 — 2C + Y + [C/4]+ [Y/4] (mod 7). 


Now that we have a formula relating the day of the week for March 1 of any year to the 
day of the week of March 1, 1600, we can use the fact that March 1, 1982, is a Monday 
to find the day of the week of March 1, 1600. For 1982, because N = 1982, we have 
C = 19, and Y = 82, and since dj9g5 = 1, it follows that 


l= 21600 — 38+ 82+ [19/4] a [82/4] = 41600 — 2 (mod 7). 
Hence, d1699 = 3, so that March 1, 1600, was a Wednesday. When we insert the value of 
d,600, the formula for d, becomes 


dy =3—2C + Y +[C/4]+ [Y/4] (mod 7). 
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We now use this formula to compute the day of the week of the first day of each 
month of year N. To do this, we have to use the number of days of the week that the first 
of the month of a particular month is shifted from the first of the month of the preceding 
month. The months with 30 days shift the first of the following month up 2 days, because 
30 = 2 (mod 7), and those with 31 days shift the first of the following month up 3 days, 
because 31 = 3 (mod 7). Therefore, we must add the following amounts: 


from March 1 to April 1: 3 days 
from April 1 to May 1: 2 days 
from May 1 to June 1: 3 days 
from June 1 to July 1: 2 days 
from July 1 to August 1: 3 days 


from August | to September 1: 3 days 

from September 1 to October 1: 2 days 

from October 1 to November 1: 3 days 

from November 1 to December 1: 2 days 

from December 1 to January 1: 3 days 

from January 1 to February 1: 3 days. 
We need a formula that gives us the same increments. Notice that we have 11 increments, 
7 of 3 days and 4 of 2 days, totaling 29 days, so that each increment averages 2.6 days. By 
inspection, we find that the function [2.6m — 0.2] — 2 has exactly the same increments 
as m goes from 2 to 12, and is zero when m = 1. (This formula was originally found 
by Christian Zeller;! he apparently found it by trial and error.) Hence, the day of the 
week of the first day of month m of year N is given by the least nonnegative residue of 
dy + [2.6m — 0.2] — 2 modulo 7. 


To find W, the day of the week of day k of month m of year N, we simply add k — 1 
to the formula we have devised for the day of the week of the first day of the same month. 
We obtain the formula 


W =k + [2.6m — 0.2] — 2C + Y + [Y/4]+ [C/4] (mod 7). 


We can use this formula to find the day of the week of any date of any year in the 
Gregorian calendar. 


Example 5.9. _ To find the day of the week of January 1, 1900, we have C = 18, Y = 99, 
m = 11, and k = 1 (because we consider January as the eleventh month of the preceding 
year). Hence, we have W = 1+ 28 — 36+ 99 + 24 + 4= 1 (mod 7), so that January 1, 
1900, was a Monday. < 


1 Christian Julius Johannes Zeller (1849-1899) was born in Muhlhausen on the Neckar in Germany. He became 
a priest at Schokingen after completing his theological studies. He served as the principal of a women’s college 
at Markgroningen from 1847 until 1898. He published his formula for the day of the week of a date in 1882. 


5.2 


1. 
2. 


3. 
4. 
5. 
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EXERCISES 


Find the day of the week of the day you were born, and of your birthday this year. 


Find the day of the week of the following important dates in U. S. history (use the Julian 
calendar before September 3, 1752, and the Gregorian calendar from September 14, 1752, to 
the present). 


* a) October 12,1492 (Columbus sights land in the Caribbean) 


* b) May 6, 1692 (Peter Minuit buys Manhattan from the natives) 
* c) June 15, 1752 (Benjamin Franklin invents the lightning rod) 
d) July 4, 1776 (U.S. Declaration of Independence) 


e) March 30, 1867 (U.S. buys Alaska from Russia) 
f) March 17, 1888 (Great blizzard in the Eastern U.S.) 
g) February 15,1898 (U.S. Battleship Maine blown up in Havana Harbor) 


h) July 2, 1925 (Scopes convicted of teaching evolution) 
i) July 16, 1945 (First atomic bomb exploded) 
j) July 20, 1969 (First man on the moon) 


k) August 9, 1974 (President Nixon resigns) 
1) March 28, 1979 (Three Mile Island nuclear accident) 
m) January 1, 1984 (“Ma Bell” breakup) 
n) December 25, 1991 (Demise of the U.S.S.R.) 
o) June 5, 2027 (First man on Mars) 


How many times will the 13th of the month fall on a Friday in the year 2020? 
How many leap years will there be from the year 1 until the year 10,000, inclusive? 


To correct the small discrepancy between the number of days in a year of the Gregorian 
calendar and an actual year, it has been suggested that the years exactly divisible by 4000 
should not be leap years. Adjust the formula for the day of the week of a given date to take 
this correction into account. 


. Show that days with the same calendar date in two different years of the same century, 28, 56, 


or 84 years apart, fall on the identical day of the week. 


Which of your birthdays, until your one hundredth, fall on the same day of the week as the 
day you were born? 


8. What is the next term in the sequence 1995, 1997, 1998, 1999, 2001, 2002, 2003? 
9. What is the next term in the sequence 1700, 1800, 1900, 2100, 2200, 2300? 


. Show that the number of leap years that occur in any 400 consecutive years is always the 


same and find this number of years. 


Show the 13th day of each of two consecutive months is a Friday if and only if these months 
are the February and March of a year for which January 1 falls on a Thursday. 


A new calendar called the /nternational Fixed Calendar has been proposed. In this calendar, 
there are 13 months, including all of our present months, plus a new month, called Sol, which 
is placed between June and July. Each month has 28 days, except for the June of leap years, 
which has an extra day (leap years are determined the same way as in the Gregorian calendar). 
There is an extra day, Year End Day, which is not in any month, which we may consider as 
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13. 
14. 


15. 


16. 


Applications of Congruences 


December 29. Devise a perpetual calendar for the International Fixed Calendar to give the 
day of the week for any calendar date. 


Show that every year in the Gregorian calendar includes at least one Friday the 13th. 


Show that for every year of the Gregorian calendar and for every integer k with 1 < k < 30, as 
the 12 months of the year pass, the kth day of the month falls on all seven days of the week. 


Given a year in the Gregorian calendar, determine on how many different days of the week 
the 31st of a month falls. 


Determine the largest possible number of years in a century during which the month of 
February has five Sundays. 


Computations and Explorations 


1. 


Find the number of times that the thirteenth of a month falls on a Friday for all years between 
1800 and 2300. Can you make and prove a conjecture based on your evidence? 


Programming Projects 


1. 
2. 
3. 


5.3 


Given a date (month, day, and year), determine the day of the week on which it falls. 
Given a year, print out a calendar of that year. 


Given a year, print out a calendar for the International Fixed Calendar (see Exercise 12) for 
that year. 


Round-Robin Tournaments 


Congruences can be used to schedule round-robin tournaments. In this section, we show 
how to schedule a tournament for N different teams where every team plays at most one 
match per day, and the tournament lasts N — 1 days, so that each team plays every other 
team exactly once. The method we describe was developed by Freund [Fr56]. 


First, note that if N is odd, not all teams can be scheduled in each round, because 
when teams are paired, the total number of teams playing is even. So, if N is odd, we add 
a dummy team, and if a team is paired with the dummy team during a particular round, 
it draws a bye in that round and does not play. Hence, we can assume that we always 
have an even number of teams, with the addition of a dummy team if necessary. 


We label the N teams with the integers 1, 2,3,..., N —1, N. We construct a 
schedule, pairing teams in the following way. We have team i, with i 4 N, play team 
J, with 7 4 N and j #i, in the kth round if i + j =k (mod N — 1). This schedules 
games for all teams in round k, except for team N and the one team i for which 
2i = k (mod N — 1). There is one such team because Corollary 4.11.1 tells us that the 
congruence 2x = k (mod N — 1) has exactly one solution with 1 < x < N — 1, because 
(2, N — 1) = 1. We match this team i with team JN in the kth round. 


We must now show that each team plays every other team exactly once. We consider 
the first NV — 1 teams. Note that team i, where 1 <i < N — 1, plays team N in round k, 
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Rond | 1 | 2 | 3 | 4 | 5 | 
1 5 | 4 | nye | “o | 4 
2 |b | 3 | 4 | 3 | 2 
3 2 Be. Naver °4 
4 3 | bye | a | 5 | 4 
5 4 | 3 | 2 | 1 | bye 


Table 5.1 Round-robin schedule for five teams. 


where 2i = k (mod N — 1), and this happens exactly once. In the other rounds, team i 
does not play the same team twice, for if teami played team j in both rounds k and k’, then 
i+ j=k (mod N — 1), andi + j =k’ (mod N — 1), which is an obvious contradiction 
because k # k’ (mod N — 1). Hence, because each of the first N — 1 teams plays N — 1 
games, and does not play any team more than once, it plays every team exactly once. 
Also, team N plays N — 1 games, and since every other team plays team N exactly once, 
team N plays every other team exactly once. 


Example 5.10. To schedule a round-robin tournament with five teams, labeled 1, 2, 
3, 4, and 5, we include a dummy team labeled 6. In round one, team 1 plays team j, 
where 1+ j =1(mod 5). This is the team j = 5 so that team 1 plays team 5. Team 2 is 
scheduled in round one with team 4, since the solution of 2+ j = 1 (mod 5) is j = 4. 
Because i = 3 is the solution of the congruence 2i = 1 (mod 5), team 3 is paired with the 
dummy team 6, and hence draws a bye in the first round. If we continue this procedure 
and finish scheduling the other rounds, we end up with the pairings shown in Table 5.1, 
where the opponent of team i in round k is given in the kth row and ith column. < 


EXERCISES 


. Set up a round-robin toumament schedule for the following. 


a)7teams b)8teams c)9teams d) 10 teams 


. In round-robin toumament scheduling, we wish to assign a home team and an away team for 


each game so that each of N teams, where N is odd, plays an equal number of home games 
and away games. Show that if, when i + j is odd, we assign the smaller of i and j as the 
home team, whereas if i + j is even, we assign the larger of i and j as the home team, then 
each team plays an equal number of home and away games. 


. Inaround-robin tournament scheduling, use Exercise 2 to determine the home team for each 


game for the following numbers of teams. 


a)Steams b)7teams c) 9 teams 
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Computations and Explorations 


1. Construct a round-robin schedule for a tournament with 13 teams, specifying a home team 
for each game. 


Programming Projects 


1. Schedule round-robin tournaments for n teams, where n is a positive integer. 


2. Using Exercise 2, schedule round-robin tournaments for n teams, where n is an odd positive 
integer, specifying the home team for each game. 


Hashing Functions 


A university wishes to store a file in its computer for each of its students. The identifying 
number or key for each file is the social security number of the student. The social 
security number is a nine-digit integer, so it is extremely infeasible to reserve a memory 
location for each possible social security number. Instead, a systematic way to arrange 
the files in memory, using a reasonable number of memory locations, should be used so 
that each file can be easily accessed. Systematic methods of arranging files have been 
developed based on hashing functions. A hashing function assigns to the key of each file 
a particular memory location. Various types of hashing functions have been suggested, 
but the type most commonly used involves modular arithmetic. We discuss this type of 
hashing function here; for a general discussion of hashing functions, see Knuth [Kn97] 
or [CoLeRi01]. 


Let k be the key of the file to be stored; in our example, k is the social security 
number of a student. Let m be a positive integer. We define the hashing function h(k) by 


h(k) =k (mod m), 


where 0 < h(k) <™m, so that h(k) is the least positive residue of kK modulo m. We wish 
to pick m intelligently, so that the files are distributed in a reasonable way throughout 
the m different memory locations 0, 1, 2,...,m — 1. 


The first thing to keep in mind is that m should not be a power of the base b that is 
used to represent the keys. For instance, when using social security numbers as keys, m 
should not be a power of 10, such as 10°, because the value of the hashing function would 
simply be the last several digits of the key; this may not distribute the keys uniformly 
throughout the memory locations. For instance, the last three digits of early issued social 
security numbers may often be between 000 and 099, but seldom between 900 and 999. 
Likewise, it is unwise to use a number dividing b* + a, where k and a are small integers 
for the modulus m. In sucha case, h(k) would depend too strongly on the particular digits 
of the key, and different keys with similar, but rearranged, digits may be sent to the same 
memory location. For instance, if m = 111, then, since 111 | (103 — 1) = 999, we have 
10? = 1 (mod 111), so that the social security numbers 064 212 848 and 064 848 212 are 
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sent to the same memory location, because 
h(064 212 848) = 064 212 848 = 064 + 212 + 848 = 1124 = 14 (mod 111) 
and 


h(064 848 212) = 064 848 212 = 064 + 848 + 212 = 1124 = 14 (mod 111). 


To avoid such difficulties, m should be a prime that approximates the number 
of available memory locations devoted to file storage. For instance, if there are 5000 
memory locations available for storage of 2000 student files, we could pick m to be 
equal to the prime 4969. 


If the hashing function assigns the same memory location to two different files, 
we Say that there is a collision. We need a method to resolve collisions, so that files are 
assigned to unique memory locations. There are two kinds of collision resolution policies. 
In the first kind, when a collision occurs, extra memory locations are linked together to 
the first memory location. When one wishes to access a file where this collision resolution 
policy has been used, it is necessary to first evaluate the hashing function for the particular 
key involved. Then the list linked to this memory location is searched. 


The second kind of collision resolution policy is to look for an open memory location 
when an occupied location is assigned to a file. Various suggestions have been made for 
accomplishing this, such as the following techniques. 


Starting with our original hashing function ho(k) = h(k), we define a sequence of 
memory locations h,(k), h2(k), .... We first attempt to place the file with key k at 
location ho(k). If this location is occupied, we move to location h ;(k). If this is occupied, 
we move to location h7(k), and so on. 


We can choose the sequence of functions h ;(k) in various ways. The simplest way 
is to let 


hj(k) =h(k)+ j (modm), O< h j(k) <m. 


This places the file with key k as near as possible past location h(k). Note that with this 
choice of h jk), all memory locations are checked, so if there is an open location, it will 
be found. Unfortunately, this simple choice of h ;(k) leads to difficulties; files tend to 
cluster. We see that if k, # ky and h; (ky) =h ; (kz) for nonnegative integers i and j, then 
hi4n(ky) = hj 4, (kp) for k = 1, 2, 3, ..., so that exactly the same sequence of locations 
is waced out once there is a collision. This lowers the efficiency of the search for files in 
the table. We would like to avoid this problem of clustering, so we choose the function 
h ;(k) in a different way. 


To avoid clustering, we use a technique called double hashing. We choose, as before, 
h(k) =k (mod m), 


with 0 < h(k) < _m, where m is prime, as the hashing function. We take a second hashing 
function 


g(k) =k+1(modm — 2), 
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where 0 < g(k) <m — 2, so that (g(k), m) = 1. We take as a probing sequence 
h j(k) =h(k) + j - g(k) (mod m), 


where 0 < h ;(k) < m. Because (g(k), m) = 1, as j runs through the integers 0, 1, 2,..., 
m — 1, all memory locations are traced out. The ideal situation would be for m — 2 also 
to be prime, so that the values g(k) are distributed in a reasonable way. Hence, we would 
like m — 2 and m to be twin primes. 


Example 5.11. In our example using social security numbers, both m = 4969 and 
m — 2 = 4967 are prime. Our probing sequence is 


hj(k) =h(k) + j - g(K) (mod 4969), 
where 0 <h ,;(k) < 4969, h(k) =k (mod 4969), and g(k) =k + 1 (mod 4967). 
Suppose that we wish to assign memory locations to files for students with the 
following social security numbers: 
k, = 344 401 659 kg = 372 500 191 
ky = 325 510 778 kz = 034 367 980 
kz = 212 228 844 kg = 546 332 190 


kg = 329 938 157 kg = 509 496 993 
ks = 047 900 151 ki9 = 132 489 973. 


Because k, = 269, ky = 1526, and k3 = 2854 (mod 4969), we assign the first three 
files to locations 269, 1526, and 2854, respectively. 


Because ky = 1526 (mod 4969), but memory location 1526 is taken, we compute 
hy(k4) = h(k4) + g(k4) = 1526 + 216 = 1742 (mod 4969); this follows because g(k4) = 
1+ k, = 216 (mod 4967). 


Because location 1742 is free, we assign the fourth file to this location. The fifth, 
six, seventh, and eighth files go into the available locations 3960, 4075, 2376, and 578, 
respectively, because k; = 3960, kg = 4075, kz = 2376, and kg = 578 (mod 4969). 


We find that kg = 578 (mod 4969); because location 578 is occupied, we compute 
hy(ko) = h(kg) + g(kg) = 578 + 2002 = 2580 (mod 4969), where g(kg) =1+ko = 
2002 (mod 4967). Hence, we assign the ninth file to the free location 2580. 


Finally, we find that kjg = 1526 (mod 4969), but location 1526 is taken. We com- 
pute h)(ki9) =h(ki9) + g(kio) = 1526 + 216 = 1742 (mod 4969), because g(ki9) = 
1+ kj = 216 (mod 4967), but location 1742 is taken. Hence, we continue by finding 
hy(k19) = h(k19) + 2g (k19) = 1958 (mod 4969) and in this available location we place 
the tenth file. 


Table 5.2 lists the assignments for the files of students by their social security 
numbers. In the table, the file locations are shown in boldface. < 


We wish to find conditions in which double hashing leads to clustering. Hence, we 
find conditions when 
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Social Security 

Number h(k) hy(k) ho(k) 
344 401 659 269 

325 510 778 1526 

212 228 844 2854 

329 938 157 1526 | 1742 

047 900 151 3960 

372 500 191 4075 

034 367 980 2376 

546 332 190 578 

509 496 993 578 | 2580 

132 489 973 1526 | 1742 1958 


Table 5.2 Hashing function for student files. 


(5.1) hj(ky) =h;(K) 
and 
(5.2) hj41€ky) = h j41ko), 


so that the two consecutive terms of two probe sequences agree. If both (5.1) and (5.2) 
occur, then 


(5.3) h(ky) + ig (ky) = h(ky) + jg (kz) (mod m) 
and 
(5.4) h(ky) + @ + Dgtky) = h(ky) + G + Dg (ka) (mod m). 


Subtracting congruence (5.3) from (5.4), we obtain 
8(k1) = 8(k2) (mod m). 


Because 0 < g(k) < m — 1, the congruence g(k,) = g(k2) (mod m) implies that g(k,) = 
g(kz). Consequently, 


kj +1=k,.+1(modm —2), 
which tells us that 
k, =ky (mod m — 2). 
Because g(k,) = g(ky), we can simplify congruence (5.3) to obtain 
h(ky) = h(ky) (mod m), 
which shows that 


k, =k (modm). 


208 


5.4 


Applications of Congruences 


Consequently, because (m — 2, m) = 1, Corollary 4.9.1 tells us that 
k, = ky (mod m(m — 2)). 


Therefore, the only way that two probing sequences can agree for two consecutive terms 
is if the two keys involved, k, and ky, are congruent modulo m(m — 2). Hence, clustering 
is extremely rare. Indeed, if m(m — 2) > k for all keys k, clustering will never occur. 


EXERCISES 


. A parking lot has 101 parking places. A total of 500 parking stickers are sold and only 50- 


75 vehicles are expected to be parked at any time. Set up a hashing function and collision 
resolution policy for assigning parking places based on license plates displaying six-digit 
numbers. 


. Assign memory locations for students in your class, using as keys the day of the month of 


birthdays of students, with hashing function h(K) = K (mod 19), and 

a) with probing sequence h ;(K) =h(K) + j (mod 19). 

b) with probing sequence h(K) =h(K)+j-8(K),0<j < 16, where g(K)=1+ 
K (mod 17). 


. Let a hashing function be h(K) = K (mod m), with 0 < h(K) <™m, and let the probing 


sequence for collision resolution be h ;(K) =h(K) + jg (modm), 0<h;(K) <™m, for 
j=1,2,...,m— 1 where m and q are positive integers. Show that all memory locations 
are probed 

a) if mis prime andl<q <m-—1. 

b) if m= 2’ and q is odd. 


. Aprobing sequence for resolving collisions where the hashing function ish(K) = K (mod m), 


0 <h(K) <™, is given by h,(K) =h(K) + j(2h(K) + 1) (mod m), 0 < h,(K) <m. 
a) Show that if m is prime, then all memory sequences are probed. 


b) Determine conditions for clustering to occur; that is, when h;(K,) =h,(K2) and 
hj4r(Ky) = hj4,(K2) forr = 1, 2. Serene 


. Using the hashing function and probing sequence of the example in the text, find open memory 


locations for the files of additional students with social security numbers k,, = 137 612 044, 
ky2 = 505 576 452, k13 = 157 170 996, k,4 = 131 220 418. (Add these to the ten files already 
stored.) 


Computations and Explorations 


1. Assign memory locations to the files of all the students in your class, using the hashing 


function and probing function from Example 5.11. After doing so, assign memory locations 
to other files with social security numbers that you make up. 


Programming Projects 


In each programming project, assign memory locations to student files, using the hashing func- 
tion h(k) =k (mod 1021), 0 < h(k) < 1021, where the keys are the social security numbers of 
students, 
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1. linking files together when collisions occur. 
2. using h ;(k) =h(k) + j(mod 1021), j =0, 1, 2, ... as the probing sequence. 


3. using h ;(k) = h(k) + j -g(k), j =0, 1, 2, ..., where g(k) = 1+ k(mod 1019), as the prob- 
ing sequence. 


Check Digits 


Congruences can be used to check for errors in strings of digits. In this section, we will 
discuss error detection for bit strings, which are used to represent computer data. Then 
we will describe how congruences are used to detect errors in strings of decimal digits, 
which are used to identify passports, checks, books, and other types of objects. 


Manipulating or transmitting bit swings can introduce errors. A simple error detec- 
tion method is to append the bit string x,x2...x, with a parity check bit x, defined 
by 


Xn41 =X, +X. +--+, (mod 2), 


so that x,,,, = 0 if an even number of the first n bits in the string are 1, whereas x,,4) = 1 
if an odd number of these bits are 1. The appended string x,x2 .. . X,X,41 Satisfies the 
congruence 


(5.5) Xp tX+-+- +X, +X,41 = 0 (mod 2). 
We use this congruence to look for errors. 


Suppose that we send xx... X,%,+41, and the string y,y2 ... Yy¥n41 is received. 
These two strings are equal, that is, y; = x; fori = 1, 2,..., + 1, when there are no 
errors. But if an error was made, they differ in one or more positions. We check whether 


(5.6) Yi t+ yo +-+*+ + Yn + Yn41 = 0 (mod 2) 


holds. If this congruence fails, at least one error is present, but if it holds, errors may still 
be present. However, when errors are rare and random, the most common type of error 
is a single error, which is always detected. In general, we can detect an odd number of 
errors, but not an even number of errors (see Exercise 4). 


Example 5.12. Suppose that we receive 1101111 and 11001000, where the last bit in 
each string is a parity check bit. For the first string, note that1+1+0+1+1+4+1+4+1= 
0 (mod 2), so that either the received string is what was wansmitted or it contains an 
even number of errors. For the second string, note that1+1+0+0+1+0+0+0= 
1 (mod 2), so that the received string was not the string sent; we ask for retransmission. 

< 


Strings of decimal digits are used for identification numbers in many different 
contexts. Check digits, computed using a variety of schemes, are used to find errors 
in these strings. For instance, check digits are used to detect errors in passport numbers. 
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In a scheme used by several European countries, if x1x2%3x4X5X%¢ is the identification 
number of a passport, the check digit x7 is chosen so that 


X7 = 7x1 + 3x2 + x3 + 7X4 + 3x5 + X6 (mod 10). 


Example §.13. Suppose that the identification number of a passport is 211894. To find 
the check digit x7, we compute 


¥7=7-24+3-14+1-14+7-8+3-9+1-4=5 (mod 10), 


so that the check digit is 5, and the seven-digit number 2118945 is printed on the passport. 
< 


We can always detect a single error in a passport identification number appended 
with a check digit computed in this way. To see this, suppose that we make an error of 
a in a digit; thatis, y; =x, + a (mod 10), where x; is the correct jth digit and y, is the 
incorrect digit that replaces it. From the definition of the check digit, it follows that we 
change x7 by either 7a, 3a, or a (mod 10), each of which changes x7. However, errors 
caused by transposing two digits will be detected if and only if the difference between 
these two digits is not 5 or —5, that is, if they are not digits x; and x; with | x; — x; |=5 
(see Exercise 7). This scheme also detects a large number of possible errors involving 
the scrambling of three digits. 


ISBNs 


We now tum our attention to the use of check digits in publishing. Until 2007 books 
were identified by their ten-digit International Standard Book Number (ISBN) (ISBN- 
10). For instance, the ISBN-10 for the first edition of this text is O-201-06561-4. Here the 
first block of digits, 0, represents the language of the book (English), the second block 
of digits, 201, represents the publisher of that edition (Addison-Wesley), the third block 
of digits, 06561, is the number assigned to the title by the publishing company to this 
book, and the final digit, in this case 4, is the check digit. (The sizes of the blocks differ 
for different languages and publishers). The check digit in an ISBN-10 can be used to 
detect the errors most commonly made when ISBNs are copied, namely, single errors 
and errors made when two digits are transposed. 


In 2007, anew thirteen-digit code, ISBN-13, was introduced. ISBN-13 increases the 
number of available codes for books, needed because of the growth both in the number 
of publishers and books published around the world. It also aligns codes for books with 
those for consumer goods. During a transition period, books will have both an ISBN- 
10 and an ISBN-13 code. The ISBN-13 code begins with a three-digit prefix, which is 
currently 978 for all books, followed by nine digits now used in ISBN-10 codes, followed 
by a single check digit. 


ISBN Check Digits 


First, we will describe how the check digit is determined for the ISBN-10 code of a 
book, and then show that it can be used to detect the commonly occurring types of errors. 
Suppose that the ISBN-10 of a book is x;x2 .. . X19, where X19 is the check digit. (We 
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ignore the hyphens in the ISBN, because the grouping of digits does not affect how the 
check digit is computed.) The first nine digits are decimal digits, that is, belong to the 
set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}, whereas the check digit x19 is a base 11 digit, belonging 
to the set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, X}, where X is the base 11 digit representing the 
integer 10 (in decimal notation). The check digit is selected so that the congruence 
10 

| ix; = 0 (mod 11) 

i=1 
holds. As is easily seen (see Exercise 10), the check digit x;9) can be computed from 
the congruence xj9 = ey ix; (mod 11); that is, the check digit is the remainder upon 


division by 11 of a weighted sum of the first nine digits. 


Example 5.14. We find the check digit for the ISBN of the first edition of this text, 
which begins with 0-201-06561, by computing 


x9 =1-04+2-24+3-0+4-14+5-04+6-64+7-5+8-64+9-1=4 (mod 11). 


Hence, the ISBN is 0-201-06561-4, as previously stated. Similarly, if the ISBN number 
of a book begins with 3-540-19102, we find the check digit using the congruence 


x9 =1-34+2-54+3-444-045-14+6-9+7-14+8-0+9-2= 10 (mod 11). 


This means that the check digit is X, the base 11 digit for the decimal number 10. Hence, 
the ISBN number is 3-540-19102-X. < 


We will show that a single error, or a transposition of two digits, can be detected 
using the check digit of an ISBN. First, suppose that x;x2 ... x19 is a valid ISBN, but 
that this number has been printed as yy . . . yj9g. We know that eS ix; =0 (mod 1}), 
because x1X2 .. . Xj9 is a valid ISBN. 


Suppose that exactly one error has been made in printing the ISBN. Then, for some 
integer j, we have y; = x; fori # j and y; =x; + a, where -10 <a < 10 anda £0. 
Here, a = y; — x; is the error in the jth place. Note that 

10 10 
> iy; = Do ix; + ja = ja £0 (mod 11) 


i=l i=1 


because yy ix; = 0 (mod 11) and, by Lemma3.5, it follows that 11 / ja because 11 / j 
and 11 / a. We conclude that yy . . . yjg is not a valid ISBN so that we can investigate 
the error. 


Now suppose that two unequal digits have been transposed; then there are distinct 
integers j and k such that y; = x, and y, = x,, and y; = x; ifi # j andi #k. It follows 
that 

10 10 
Yo ix = Do ix; + Ging — xj) + (kaj — kay) = Gi — Oy — x;) £0 (mod 11) 


i=l i=l 
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because oa ix; =0 (mod 11), and 11 7 (j —k) and 11 7 (4, — x;). We see that 
yi 2 --- Yq is not a valid ISBN so that we can detect the interchange of two unequal 
digits. 

The check digit a,3 for an ISBN-13 code with initial 12 digits a;,i =1,2,..., 12 
is determined by the congruence 


a, + 3a + a3 + 3a4 + a5 + 36 + a7 + 3ag + dg + 3019 + 441 
+ 3a}. + a43=0 (mod 10). 


Just as for ISBN-10, ISBN-13 detects all single errors, but unlike ISBN-10, not all 
transpositions of two digits (see Exercises 21 and 22). So, the advantages of adding 
three digits comes with the cost of no longer detecting transposition errors. 


We have discussed how a single check digit can be used to detect errors in strings 
of digits. However, using a single check digit, we cannot detect an error and then correct 
it, that is, replace the digit in error with the valid one. It is possible to detect and correct 
an error using additional digits satisfying certain congruences (see Exercises 24 and 26, 
for example). The reader is referred to any text on coding theory for more information 
on error detection and correction. Coding theory uses many results from different parts 
of mathematics, including number theory, abstract algebra, combinatorics, and even 
geometry. To find good sources of information, consult Chapter 14 of [Ro99a]. We also 
refer the reader to the excellent articles by J. Gallian on check digits, [Ga92], [Ga91], 
and [Ga96], [GaWi88], for related information, including how check digits for drivers 
license numbers are found, and the book [Ki01], entirely devoted to check digits and 
identification numbers. 


EXERCISES 


. What is the parity check bit that should be added to each of the following bit strings? 


a) 111111 c) 101010 e) 11111111 
b) 000000 d) 100000 f) 11001011 


. Suppose that you receive the following bit strings, where the last bit is a parity check bit. 


Which strings do you know are incorrect? 
a) 111111111 b) 0101010101010 c) 1111010101010101 


. Assume that each of the following strings, ending with a parity check bit, was received 


correctly except for a missing bit indicated with a question mark. What is the missing bit? 
a) 1711111 b) 000710101 c) 270101010100 


. Show that a parity check bit can detect an odd number of errors, but not an even number of 


errors. 


. Using the check digit scheme described in the text, find the check digit that should be added 


to the following passport identification numbers. 
a) 132999 b) 805237 c) 645153 


. Are the following passport identification numbers valid, where the seventh digit is the check 


digit computed as described in the text? 


=~ 


= 


10. 


11. 


12. 


13. 
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a) 3300118 b) 4501824 c) 1873336 


Show that the passport check digit scheme described in the text detects transposition of the 
digits x; and x; if and only if | x; — x; |#5. 


. The bank identification number printed on a check consists of eight digits, xx... xg, 


followed by a ninth check digit, x5, where x9 = 7x, + 3x2 + 9x3 + 7x4 + 3x5 + 9x6 + 7x7 + 
3xg (mod 10). 
a) What is the check digit following the eight-digit identification number 00185403? 


b) Which single errors in bank identification numbers does a check digit computed in this 
way detect? 


c) Which transpositions of two digits does this scheme detect? 


What should the check digit be to complete each of the following ten-digit ISBNs? 
a) 2-113-54001 c) 1-2123-9940 
b) 0-19-081082 d) 0-07-038133 


Show that the check digit x,) in an ISBN-10 x,x, . . . x19 can be computed from the congru- 
ence X19 = Ba ix; (mod 11). 

Determine whether each of the following ISBN-10 codes is valid. 

a) 0-394-38049-5 —_c) 0-8218-0123-6 —_e) 90-6191-705-2 

b) 1-09-231221-3 — d) 0-404-50874-X 

Suppose that one digit, indicated with a question mark, in each of the following ISBN-10 
codes has been smudged and cannot be read. What should this missing digit be? 

a) 0-19-873804-9 —_b) 91-554-212?-6 —_c) ?-261-05073-X 

While copying the ISBN-10 for a book, a clerk accidentally transposed two digits. If the 


clerk copied the ISBN-10 as 0-07-289095-0 and did not make any other mistakes, what is the 
correct ISBN-10 for this book? 


Retail products are often identified by Universal Product Codes (UPCs), the most common of 
which consists of 12 decimal digits. The first digit identifies a product category, the next five the 
manufacturer, the following five the particular product, and the last digit is a check digit. The 
check digit is determined by the following three steps that use the first 11 digits of the UPC. 
First, digits in odd-numbered positions, starting from the left, are added, and the resulting sum 
is tripled. Second, the sum of digits in even-numbered positions is added to the result of the first 
step. Third, the check is found by determining which decimal digit, when added to the overall 
result of the second step, produces an integer divisible by 10. 


14. 


15. 


16. 


Give a formula using a congruence that produces the check digit for a UPC from the 11 digits 
representing the product category, manufacturer, and particular product. 

Determine whether each of the following 12-digit strings can be the UPC of a product. 

a) 0 47000 00183 6 c) 0 58000 00127 5 

b) 3 11000 01038 9 d) 2 26500 01179 4 

What is the check digit for the 12-digit UPC code that begins with each of the following 
11-digit strings? 

a) 3 81370 02918 c) 0 33003 31439 

b) 5 01175 00557 d) 4 11000 01028 
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17. 
18. 
19. 


20. 


21. 
22. 
23. 


24. 


25. 


26. 
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Determine whether the 12-digit UPC code can always detect an error in exactly one digit. 
Determine whether the 12-digit UPC code can always detect the transposition of two digits. 
Determine whether each of the following ISBN-13 codes is valid. 

a) 978-0-073-22972-0 c) 978-1-4000-8277-3 e) 978-1-56975-655-3 

b) 978-0-073-10779-1 d) 978-0-43985-654-2 


Determine whether each of the following ISBN-13 codes is valid. 

a) 978-0-06135-328-9 c) 978-1-41697-800-8 e) 978-0-67-002053-9 

b) 978-0-79225-314-3 d) 978-0-45228-521-0 

Show that a single error is always detected by the ISBN-13 code. 

Show that there are transpositions of two digits that are not detected by the ISBN-13 code. 
Suppose we specify that the valid 10-digit decimal code words xx . . . X19 are those satisfying 
the congruence ee x; =0 (mod 11). 

a) Can we detect all single errors in a code word? 

b) Can we detect transposition of two digits in a code word? 


Suppose that the only valid 10-digit code words xx . . . X49 are those satisfying the congru- 

ences yaa x= yea ix; = 0 (mod 11). 

a) Show that the valid code words, where the first digits are decimal digits, that is, in the 
set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}, are those where the last two digits satisfy the congruences 
Xg= pea + 1)x; (mod 11) and xj9 = aC — i)x; (mod 11). 

b) Find the number of valid decimal code words. 


c) Show that any single error in a code word can be detected and corrected, because the 
location and value of the error can be determined. 


d) Show that we can detect any error caused by transposing two digits in a code word. 


The government of Norway assigns an 11-digit decimal registration number x,x2 . . . x1; to 
each of its citizens using a scheme designed by Norwegian number theorist E. Selmer. The 
digits x,x2 ...X¢ represent the date of birth, the digits x7xg%9 identify the particular person 
born that day, and x19 and x,, are check digits that are computed using the congruences xj) = 
8x1 + 4x9 + 5x3 + 10x4 + 3x5 + 2X6 + 7x7 + Oxg + 9Xq (mod 11) and x1; = 6x, + 7x2 + 
8x3 + 9x4 + 4x5 + 5x6 + 6x7 + 7xg + 8x9 + 9x49 (mod 11). 

a) Determine the check digits that follow the first nine digits 110491238. 

b) Show that this scheme detects all single errors in a registration number. 


c) Which double errors are detected? 


Suppose that we specify that the valid 10-digit code words x,x2 ...x 9, where each digit 
is a decimal digit, are those satisfying the congruences wan x= ye ix; = aa fx; = 
yo (3x; = 0 (mod 11). 

a) How many valid 10-digit code words are there? 

b) Show how any two errors in a code word can be corrected. 


c) Suppose a code word has been received as 0204906710. If two errors have been made, 
what is the correct code word? 


Airline tickets carry 15-digit identification numbers a,a . . . d4a;5, where a,5 is a check digit 
that equals the least nonnegative residue of the integer a,a, . . .a,4 modulo 7. 


5.5 Check Digits 215 


27. Find the check digit a,, that follows each of these initial 14 digits of airplane ticket identifi- 
cation numbers. 


a) 00032781811224 b) 10238544122339 c) 00611133123278 


28. Determine whether these are valid airline ticket identification numbers. 
a) 102284711033122 b) 004113711331240 c) 100261413001533 

29. Determine which errors in a single digit can be detected and which cannot be detected using 
the check digit for airline tickets. 


30. Determine which errors involving the transposition of two adjacent digits in the identification 
number of an airline ticket can be detected and which cannot be detected using the check digit 
for airline tickets. 


The International Standard Serial Number (ISSN) used to identify a periodical consists of two 

blocks of four digits, where the last digit in the second block is a base 11 check digit. As in an 

ISBN, the character X represents 10 (in decimal notation). The check digit dg is determined by 

the congruence dg = 3d, + 4dy + 5d3 + 6d4 + 7d5 + 8dg + 9d (mod 11). 

31. For each of the following initial seven digits of an ISSN, determine the correct check digit. 
a) 0317-847 b) 0423-555 c) 1063-669 d) 1363-837 


32. Is it always possible to detect a single error in an ISSN? That is, is it always possible to detect 
that an error was made when one digit of an ISSN has been copied incorrectly? Justify your 
answer. 


33. Is it always possible to detect when two consecutive digits in an ISSN have been accidentally 
transposed? Justify your answer. 


Computations and Explorations 
1. Check the ISBN-10 codes of a selection of books to see whether the check digit was computed 
correctly. 


2. Check the ISBN-13 codes of a selection of recently published books to see whether the check 
digit was computed correctly. 


Programming Projects 

1. Determine whether a bit string, ending with a parity check bit, has either an odd or an even 
number of errors. 

2. Determine the check digit for an ISBN-10 code, given the first nine digits. 


3. Determine whether a 10-digit string, where the first nine digits are decimal digits and the last 
is a decimal digit or an X, is a valid ISBN-10 code. 


4. Determine whether a 12-digit decimal string is a valid UPC. 
5. Determine the check digit for an ISBN-13 code, given the first 12 digits. 
6. Determine whether a 13-digit string is a valid ISBN-13 code. 
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6.1 


6 Some Special Congruences 


| n this chapter, we discuss three congruences that have both theoretical and practical 
significance: Wilson’s theorem shows that when p is prime, the remainder when 
(p — 1)! is divided by p is —1. Fermat’s little theorem provides a congruence for the 
pth powers of integers modulo p. In particular, it shows that if p is prime, then a? anda 
have the same remainder when divided by p whenever a is an integer. Euler’s theorem 
provides a generalization of Fermat’s little theorem for moduli that are not prime. 


These three congruences have many applications. For example, we will explain how 
Fermat’s little theorem can be used as the basis for primality tests and factoring algo- 
rithms. We will also discuss composite integers, called pseudoprimes, that masquerade 
as primes by satisfying the same congruence that primes do in Fermat’s little theorem. 
We will use the fact that pseudoprimes are relatively rare to develop some tests that can 
provide overwhelming evidence that an integer is prime. 


Wilson’s Theorem and Fermat’s Little Theorem 


In a book published in 1770, English mathematician Edward Waring stated that one of 
his students, John Wilson, had discovered that (p — 1)!+ 1is divisible by p whenever 
p is prime. Furthermore, he stated that neither he nor Wilson knew how to prove it. 
Most likely, Wilson made this conjecture based on numerical evidence. For example, we 
can easily see that 2 divides 1! + 1 = 2, 3 divides 2! + 1 = 3, 5 divides 4! + 1 = 25, 7 
divides 6! + 1 = 721, and so on. Although Waring thought it would be difficult to find a 
proof, Joseph Lagrange proved this result in 1771. Nevertheless, the fact that p divides 
(p — 1)!+ 1is known as Wilson’s theorem. We now state this theorem in the form of a 
congruence. 


Theorem 6.1. Wilson’s Theorem. If p is prime, then (p — 1)!=—1 (mod p). 


Before proving Wilson’s theorem, we use an example to illustrate the idea behind 
the proof. 


Example 6.1. Let p =7. We have (7 — 1)! =6!=1-2-3-4-5.-6. We will rearrange 
the factors in the product, grouping together pairs of inverses modulo 7. We note 
that 2 . 4 = 1 (mod 7) and 3-5 = 1 (mod 7). Hence, 6!=1- (2-4)- (3-5) -6=1-6= 
—1 (mod 7). Thus, we have verified a special case of Wilson’s theorem. < 
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We now use the technique illustrated in the example to prove Wilson’s theorem. 


Proof. When p = 2, wehave (p — 1)!= 1=-—1 (mod 2). Hence, the theorem is true for 
Pp =2. Now let p bea prime greater than 2. Using Theorem 4.11, for each integer a with 
1 <a < p — 1 there is an inverse a, 1 <a < p — 1, with aa = 1 (mod p). By Theorem 
4.12, the only positive integers less than p that are their own inverses are 1 and p — 1. 
Therefore, we can group the integers from 2 to p — 2 into (p — 3)/2 pairs of integers, 
with the product of each pair congruent to 1 modulo p. Hence, we have 


2-3--- (p—3)-(p—2)=1 (mod p). 
We multiply both sides of the this congruence by 1 and p — 1 to obtain 
(p —1)!=1-2-3---(p—3)(p — 2)(p — 1) = 1- (p— 1) = —1 (mod p). 
This completes the proof. = 


An interesting observation is that the converse of Wilson’s theorem is also true, as 
the following theorem shows. 


Theorem 6.2. If n is a positive integer with n > 2 such that (n — 1)! =—1(modn), 
then n is prime. 


Proof. Assume that n is a composite integer and that (nm — 1)!= —1 (mod n). Because 
n is composite, we have n = ab, where 1 <a <n and 1 <b <n. Because a <n, we 
know that a | (n — 1)!, because a is one of the n — 1 numbers multiplied together to 
form (n — 1)!. Because (n — 1)!=—1 (mod n), it follows that n | ((n — 1)!+ 1). This 
means, by Theorem 1.8, that a also divides (n — 1)! + 1. By Theorem 1.9, because 
a|(n — 1)! anda | ((m — 1)!+ 1), we conclude that a|((n -—D!+)—-M-—D!I=L. 
This is a contradiction, because a > 1. a 


France at the invitation of Louis XVI, to join the French Academy. In France, he had a distinguished 
career in teaching and writing. He was a favorite of Marie Antoinette, but managed to win the favor of 
the new regime that came into power after the French Revolution. Lagrange’s contributions to mathe- 
matics include unifying the mathematical theory of mechanics. He made fundamental discoveries in 
group theory, and helped put calculus on a rigorous foundation. His contributions to number theory 
include the first proof of Wilson’s theorem, and the result that cvery positive integer can be written as 
the sum of four squares. 


JOSEPH LOUIS LAGRANGE (1736-1813) was bom in Italy and studied 
physics and mathematics at the University of Turn. Although he originally 
planned to pursue a career in physics, Lagrange’s growing interest in mathemat- 
ics led him to change course. At the age of 19, he was appointed as a mathematics 
professor at the Royal Artillery School in Turin. In 1766, he filled the post Euler 
vacated at the Royal Academy of Berlin when Frederick the Great sought him 
out. Lagrange directed the mathematics section of the Royal Academy for 20 
years. In 1787, when his patron Frederick the Great died, Lagrange moved to 
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Wilson’s theorem can be used to demonstrate that a composite integer is not prime, 
as Example 6.2 shows. 


Example 6.2. Because (6 — 1)! =5!= 120 =0 (mod 6), Theorem 6.1 verifies the 
obvious fact that 6 is not prime. < 


As we can see, Wilson’s theorem and its converse give us a primality test. To 
decide whether an integer n is prime, we determine whether (n — 1)! = —1(mod 7). 
Unfortunately, this is an impractical test because n — 2 multiplications modulo n are 
needed to find (m — 1)!, requiring O(n(log, n)?) bit operations. 


Fermat made many important discoveries in number theory, including the fact that p 
divides a?~' — 1 whenever p is prime and a is an integer not divisible by p. He stated this 
result in a letter to one of his mathematical correspondents, Bernard Frénicle de Bessy, 
in 1640. Fermat did not bother to enclose a proof with his letter, stating that he feared that 
a proof would be too long. Unlike Fermat’s notorious last theorem, discussed in Chapter 
13, there is little doubt that Fermat really knew how to prove this theorem (which is called 
“Fermat’s little theorem” to distinguish it from his “last theorem”). Leonhard Euler is 
credited with the first published proof, in 1736. Euler also generalized Fermat’s little 
theorem; we will explain how in Section 6.3. 


Theorem 6.3. Fermat’s Little Theorem. If p is prime and a is an integer with p J a, 
then a?—! = 1 (mod p). 


Proof. Consider the p — 1 integers a, 2a, ..., (p — l)a. None of these integers are 
divisible by p, for if p | ja, then by Lemma 34, p | j, because p / a. This is impossible, 
because 1 < j < p — 1. Furthermore, no two of the integers a, 2a, ..., (p — a are 
congruent modulo p. To see this, assume that ja = ka (mod p), where 1< j <k< 
p — 1. Then, by Corollary 4.5.1, because (a, p) = 1, we have j =k (mod p). This is 
impossible, because j and k are positive integers less than p — 1. 


Because the integers a, 2a, ..., (p — l)a areaset of p — 1 integers all incongruent 
to 0, and no two are congruent modulo p, by Lemma 4.1 we know that the least 
positive residues of a, 2a,...,(p— la, taken in some order, must be the integers 
1,2,..., p — 1. As a consequence, the product of the integers a, 2a,...,(p— Da 
is congruent modulo p to the product of the first p — 1 positive integers. Hence, 


a-2a---(p—la=1-2---(p— 1) (mod p). 
Therefore, 
a?~'(p — 1)!= (p — 1)! (mod p). 
Because ((p — 1)!, p) = 1, using Corollary 4.5.1, we cancel (p — 1)! to obtain 
a?-! = 1(mod p). z 


We illustrate the ideas of the proof with an example. 
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Example 6.3. Let p = 7 anda = 3. Then, 1-3 = 3 (mod 7), 2-3 = 6 (mod 7), 3-3= 
2 (mod 7), 4-3 =5 (mod 7), 5-3 = 1 (mod 7), and 6 - 3 = 4 (mod 7). Consequently, 


(1-3) - (2-3) -(3-3)- (4-3) (5-3) - (6-3) =3-6-2-5-1-4 (mod 7), 


so that 3°-1-2-3-4-5-6=3-6-2-5-1-4 (mod 7). Hence, 3° - 6! = 6! (mod 7), and 
therefore 3° = 1 (mod 7). < 


Theorem 6.4. If p is prime and a is a positive integer, then a? = a (mod p). 


Proof. If p | a, by Fermat’s little theorem, we know that a?~! = 1 (mod p). Multiply- 
ing both sides of this congruence by a, we find that a? = a (mod p). If p | a, then p | a? 
as well, so thata? = a = 0 (mod p). This finishes the proof, because a? = a (mod p) if 
p Xaandif pla. | 


Finding the least positive residue of powers of integers is often required in num- 
ber theory and its applicasions—especially cryptography, as we will see in Chapter 8. 
Fermat’s little theorem is a useful tool in such computations, as the following example 
shows. 


Example 6.4. We can find the least positive residue of 37°! modulo 11 with the help 
of Fermat’s little theorem. We know that 3!° = 1 (mod 11). Hence, 3201 — (310)20 3 = 
3 (mod 11). < 


A useful application of Fermat’s little theorem is provided by the following result. 


Theorem 6.5. If p is prime and a is an integer such that p J a, then a?~? is an inverse 
of a modulo p. 


Proof. If p a, by Fermat’s little theorem we have a - a?~* = a?—!=1 (mod p). 
Hence, a?~? is an inverse of a modulo p. rT 


Example 6.5. By Theorem 6.5, we know that 2? = 512 = 6 (mod 11) is an inverse of 
2 modulo 11. < 


Theorem 6.5 gives us another way to solve linear congruences with respect to prime 
moduli. 


Corollary 6.5.1. If a and b are positive integers and p is prime with p Ja, then 
the solutions of the linear congruence ax = b (mod p) are the integers x such that 
x =a?~*b (mod p). 


Proof. Suppose that ax = b (mod p). Because p J a, we know from Theorem 6.5 that 
a~? is an inverse of a (mod p). Multiplying both sides of the original congruence by 
a?-2, we have 


P-2ax = a?~*b (mod p). 


a 
Hence, 


x =a?~*b (mod p). . 
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The Pollard p — 1 Factorization Method 


Fermat’s little theorem is the basis of a factorization method invented by J. M. Pollard in 
1974. This method, known as the Pollard p — 1 method, can find a nontrivial factor of an 
integer n when n has a prime factor p such that the primes dividing p — 1 are relatively 
small. 


To see how this method works, suppose that we want to find a factor of the positive 
integer n. Furthermore, suppose that n has a prime factor p such that p — 1 divides 
k!, where k is a positive integer. We want p — 1 to have only small prime factors, so 
that there is such an integer k that is not too large. For example, if p = 2269, then 
p — 1= 2268 = 2737, so that p — 1 divides 9!, but no smaller value of the factorial 
function. 


The reason we want p — 1 todivide k! is so that we can apply Fermat’s little theorem. 
By Fermat’s little theorem, we know that 2?—-! = 1 (mod p). Now, because p — 1 divides 
k!, k!= (p — gq for some integer qg. Hence, 


2k! — 9(P—Da = (2P-1)9 = 19 = 1 (mod p), 


which implies that p divides 2*' — 1. Now let M be the least positive residue of 2*' — 1 
modulon, sothat M = (2k '_ 1) — nt forsome integer t. We see that p divides M because 
it divides both 2*' — 1 and n. 


Now, to find a divisor of n, we need only compute the greatest common divisor of 
M and n, d = (M, n). This can be done rapidly using the Euclidean algorithm. For this 
divisor d to be a nontrivial divisor, it is necessary that M not be 0. This is the case when 
n does not itself divide 2*' — 1, which is likely when n has large prime divisors. 


To use this method, we must compute 2*', where k is a positive integer. This can 
be done efficiently because modular exponentiation can be done efficiently. To find the 
least positive remainder of 2*' modulo n, we set r; = 2 and use the following sequence of 
computations: r, = Tr (mod 7), 73 = r3 (modn),...,7™%= rey (mod n). We illustrate 
this procedure in the following example. 


Example 6.6. To find 29' (mod 5, 157, 437), we perform the following sequence of 
computations: 


Ty =r? = 2? =4 (mod 5,157,437) 
r3 =13 = 4° = 64 (mod 5, 157,437) 
r4 =13 = 64* = 1,304,905 (mod 5, 157,437) 


15 =12 = 1,304,905° = 404,913 (mod 5,157,437) 
16 =r$ = 404,913° = 2,157,880 (mod 5,157,437) 
17 =1g = 2,157,880’ = 4,879,227 (mod 5,157,437) 
rg =r3 = 4,879,2278 = 4,379,778 (mod 5, 157,437) 
19 = 1g = 4,379,778" = 4,381,440 (mod 5,157,437). 
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It follows that 29! = 4,381,440 (mod 5, 157,437). < 


The following example illustrates the use of the Pollard p — 1 method to find a factor 
of the integer 5,157,437. 


Example 6.7. To factor 5,157,437 using the Pollard p — 1 method, we successively find 
rz, the least positive residue of 2! modulo 5,157,437, fork = 1, 2, 3,..., as was done in 
Example 6.6. We compute (7; — 1, 5,157,437) at each step. To find a factor of 5,157,437 
requires nine steps, because (7; — 1, 5,157,437) = 1 fork = 1, 2, 3, 4, 5, 6, 7, 8 (as the 
reader can verify), but (r9 — 1, 5,157,437) = (4,381,439, 5, 157,437) = 2269. It follows 
that 2269 is a divisor of 5,157,437. S| 


The Pollard p — 1 method does not always work. However, because nothing in the 
method depends on the choice of 2 as the base, we can extend the method and find a factor 
for more integers by using integers other than 2 as the base. In practice, the Pollard p — 1 
method is used after trial divisions by small primes, but before the heavy artillery of such 
methods as the quadratic sieve and the elliptic curve method. 


EXERCISES 


. Show that 10! + 1 is divisible by 11, by grouping together pairs of inverses modulo 11 that 


occur in 10!. 


. Show that 12! + 1 is divisible by 13, by grouping together pairs of inverses modulo 13 that 


occur in 12!. 


. What is the remainder when 16! is divided by 19? 

. What is the remainder when 5!25! is divided by 31? 

. Using Wilson’s theorem, find the least positive residue of 8-9-10- 11-12-13 modulo 7. 
. What is the remainder when 7-8-9-15-16-17-23-24-25 - 43 is divided by 11? 
. What is the remainder when 18! is divided by 437? 

. What is the remainder when 40! is divided by 1763? 

. What is the remainder when 5! is divided by 7? 

. What is the remainder when 62° is divided by 11? 

. Using Fermat’s little theorem, find the least positive residue of 37°99?" °°? modulo 7. 
. Using Fermat’s little theorem, find the least positive residue of 249°9-° modulo 17. 
. Show that 3!° = 1 (mod 117). 

. Using Fermat’s little theorem, find the last digit of the base 7 expansion of 3!. 


. Using Fermat’s little theorem, find the solutions of the following linear congruences. 


a) 7x = 12 (mod 17) b) 4x = 11 (mod 19) 
Show that if n is a composite integer with n 4 4, then (n — 1)!=0 (mod 7). 
Show that if p is an odd prime, then 2(p — 3)! = —1 (mod p). 


18. 
19, 
20. 
21. 
22. 
23. 


24. 
25. 


26. 
27. 


28. 
29. 
30. 
31. 
32. 


33. 


34. 
35. 


36. 
37. 
38. 
39. 


40. 


41. 
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Show that if n is odd and 3 Jn, then n? = 1 (mod 24). 
Show that a!? — 1 is divisible by 35 whenever (a, 35) = 1. 
Show that a® — 1 is divisible by 168 whenever (a, 42) = 1. 
Show that 42 | (n’ — n) for all positive integers n. 

Show that 30 | (n? — n) for all positive integers n. 


Show that 1?—! + 2?-! 4 3P-14....+(p — 1)" =~—1 (mod p) whenever p is prime. (It 
has been conjectured that the converse of this is also true.) 


Show that 1? + 2? + 3? + ---+(p— 1)? =0 (mod p) when p is an odd prime. 


Show that if p is prime and a and b are integers not divisible by p, with a? = b? (mod p), 
then a? = b? (mod p?”). 


Use the Pollard p — 1 method to find a divisor of 689. 


Use the Pollard p — 1 method to find a divisor of 7,331,117. (For this exercise, you will need 
to use either a calculator or computational software.) 


Show that if p and q are distinct primes, then p?—! + g?~! = 1 (mod pq). 

Show that if p is prime and a is an integer, then p | (a? + (p — 1)! a). 

Show that if p is an odd prime, then 1237 --- (p — 4)?(p — 2)? = (-1)@+/? (mod p). 
Show that if p is prime and p = 3 (mod 4), then ((p — 1)/2)!= +1 (mod p). 


a) Let p be prime, and suppose that r is a positive integer less than p such that (—1)’r!= 
—1 (mod p). Show that (p — r + 1)!=-—1 (mod p). 
b) Using part (a), show that 61! = 63! = —1 (mod 71). 


Using Wilson’s theorem, show that if p is a prime and p = 1 (mod 4), then the congruence 
x* = —1 (mod p) has two incongruent solutions given by x = +((p — 1)/2)! (mod p). 


Show that if p is a prime and 0 < k < p, then (p — k)(k — 1)! = (—1)* (mod p). 
Show that if 7 is an integer, then 


n 


ra) => pus pee : pu], 


j=2 d 


Show that if p is a prime and p > 3, then 2?-2 + 3?—2 + 6?-2 = 1 (mod p). 
Show that if 7 is a nonnegative integer, then 5 | 1” + 2” + 3” + 4” if and only if 4 Jn. 
For which positive integers n is n* + 4” prime? 


Show that the pair of positive integers n and n + 2 are twin primes if and only if 4((7 — 1I)!+ 
1) +n =0 (mod n(n + 2)), where n # 1. 


Show that if the positive integers n and n + k, where n > k and k is an even positive integer, 
are both prime, then (k!)*((m — 1)!+ 1) +. n(k! — 1I)(k — 1)!=0 (mod n(n + k)). 


Show that if p is prime, then ( a ) = 2 (mod p). 
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43. 


44, 


45. 


46. 


47. 


48. 


49. 
50. 
51. 


52. 
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Exercise 74 of Section 3.5 shows that if p is prime and k is a positive integer less than p, 


P 
k 


to show that if a and b are integers, then (a + b)? =a? + b? (mod p). 


then the binomial coefficient ( is divisible by p. Use this fact and the binomial theorem 


Prove Fermat’s little theorem by mathematical induction. (Hint: In the induction step, use 
Exercise 42 to obtain a congruence for (a + 1)?.) 


Using Exercise 30 of Section 4.3, prove Gauss’s generalization of Wilson’s theorem, namely, 
that the product of all the positive integers less than m that are relatively prime to m is 
congruent to 1 (mod m), unless m = 4, p’, or 2p’, where p is an odd prime and t is a positive 
integer, in which case it is congruent to —1 (mod m). 


A deck of cards is shuffled by cutting the deck into two piles of 26 cards. Then, the new deck 

is formed by alternating cards from the two piles, starting with the bottom pile. 

a) Show that if a card begins in the cth position in the deck, it will be in the bth position in 
the new deck, where b = 2c (mod 53) and 1 < b < 52. 

b) Determine the number of shuffles of the type described above that are needed to return 
the deck of cards to its original order. 


Let p be prime and let a be a positive integer not divisible by p. We define the Fermat quotient 
qp(a) by q,(a) = (a?-! — 1)/p. Show that if a and b are positive integers not divisible by 
the prime p, then qp(ab) = q,(a) + Gp(b) (mod p). 


Let p be prime and let a), ay,..., ap and b,, bo,..., b, be complete systems of residues 
modulo p. Show that a,b;, a2b7, ..., a,b, is not a complete system of residues modulo p. 


Show that if 7 is a positive integer with n > 2, then n does not divide 2” — 1. 


n—1 


Let p be an odd prime. Show that (p — 1)! + =-—1(mod p”). 


Show that if p is a prime with p > 5, then (p — 1)!+ 1has at least two different prime divisors. 


Show that if a and n are relatively prime integers with n > 1, then 7 is prime if and only if 
(x — a)” and x” — a are congruent modulo n as polynomials. (Recall from the preamble to 
Exercise 48 in Section 4.1 that two polynomials are congruent modulo n as polynomials if 
for each power of x the coefficients of that power in the polynomials are congruent modulo 
n.) (The proof of Agrawal, Kayal, and Saxena [AgKaSa02] that there is a polynomial-time 
algorithm for determining whether an integer is prime begins with this result.) 


Find (n!+ 1, (7 + 1)!) when 7 is a positive integer. 


Computations and Explorations 


1. 


A Wilson prime is a prime p for which (p — 1)! = —1 (mod p?). Find all Wilson primes less 
than 10,000. 


. Find all primes p less than 10,000 for which 2?-! = 1 (mod p?). 

. Find a factor of each of several different odd integers of your choice using the Pollard p — 1 
method. 

. Verify the conjecture that 1*-!4 27-14 37-14...-4 (2 — 1)@-) 4-1 (mod n) if n is 


composite, for as many integers 1 as you can. 
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Programming Projects 


1. Find all Wilson primes less than a given positive integer n. 
2. Find the primes p less than a given positive integer n for which 2?—! = 1 (mod p”). 
3. Solve linear congruences with prime moduli via Fermat’s little theorem. 


4. Factor a given positive integer n using the Pollard p — 1 method. 


6.2 Pseudoprimes 


Fermat’s little theorem tells us that if is prime and b is any integer, then b” = b (mod n). 
Consequently, if we can find an integer b such that b” 4 b (mod n), then we know that 
n is composite. 


Example 6.8. We can show that 63 is not prime by observing that 
283 — 760 . 93 — (2610 . 93 — 641993 = 23 = 8 $2 (mod 63). < 


Using Fermat’s little theorem, we can show that some integers are composite. It 
would be even more useful if it also provided a way to show that an integer is prime. 
It is commonly reported that the ancient Chinese believed that if 2” = 2 (mod n), then 
n must be prime. This statement is true for 1 < n < 340. Unfortunately, the converse of 
Fermat’s little theorem is not true, as the following example, which was discovered by 
Pierre Frédéric Sarrus in 1919, shows. 


Example 6.9. Let n = 341= 11-31. By Fermat’s little theorem, we see that 2!° 
1(mod 11), so that 2340 = (21°)34 = 1(mod 11). Also, 2340 = (25)6& = (32) = 
1 (mod 31). Hence, by Corollary 4.9.1, we have 2340 = 1 (mod 341). By multiplying 
both sides of this congruence by 2, we have 234! = 2 (mod 341), even though 341 is not 
prime. 


A 


Examples such as this lead to the following definition. 


A Historical Inaccuracy 

Apparently, the story that the ancient Chinese believed that n is prime if 2” = 2 (mod n) is 
due to a mistaken translation and an error by a nineteenth-century Chinese mathematician. 
In 1897, J. H. Jeans reported that this statement dates “from the time of Confucius,” which 
seems to be the result of an erroneous translation from the book The Nine Chapters of 


Mathematical Art. In 1869, Alexander Wade published an article, “A Chinese theorem,” in 
the journal Notes and Queries on China, crediting the mathematician Li Shan-Lan (1811- 
1882) for this “theorem.” Li learned that this result was false, but the error was perpetuated 
by later authors. These historical details come from a letter from Chinese mathematician 
Man-Keung Siu to Paulo Ribenboim (see [Ri96] for more information). 
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Definition. Let b be a positive integer. If n is a composite positive integer and b” = 
b (mod n), then n is called a pseudoprime to the base b. 


Note that if (b, 2) = 1, then the congruence b” = b (mod n) is equivalent to the 
congruence b”~! = 1 (mod n). Tosee this, note that by Corollary 4.5.1 we can divide both 
sides of the first congruence by b, because (b, n) = 1, to obtain the second congruence. 
By part (iii) of Theorem 4.4, we can multiply both sides of the second congruence by b 
to obtain the first. We will often use this equivalent condition. 


Example 6.10. The integers 341 = 11-31, 561=3-11-17, and 645 =3-5- 43 are 
pseudoprimes to the base 2, because it is easily verified that 2340 = 1 (mod 341), 25° = 
1 (mod 561), and 24 = 1 (mod 645). < 


Remark. Pseudoprimes, as defined above, are sometimes called Fermat pseudoprimes. 
This terminology is used to distinguish them from other types of integers that masquerade 
as primes. More generally, the term pseudoprime is used to describe composite integers 
that pass a particular test, or collection of tests, passed by all primes. Later in this 
section, we will discuss strong pseudoprimes, which are Fermat pseudoprimes that pass 
additional tests. In Chapter 11, we will discuss Euler pseudoprimes, another important 
type of pseudoprimes. 


If there are relatively few pseudoprimes to the base b, then checking to see whether 
the congruence b” = b (mod n) holds is a useful test; only a small fraction of composite 
numbers pass this test. In fact, there are far fewer pseudoprimes to the base b not 
exceeding a specified bound than prime numbers not exceeding that bound. In particular, 
there are 455,052,511 primes, but only 14,884 pseudoprimes to the base 2, less than 101°, 
Although pseudoprimes to any given base are rare, there are, nevertheless, infinitely 
many pseudoprimes to any given base. We will prove this for the base 2. The following 
lemma is useful in the proof. 


Lemma 6.1. If d and n are positive integers such that d divides n, then 24 — 1 divides 
2” —1. 


Proof. Given that d | n, there is a positive integer t with dt =n. By setting x = 24 
in the identity x‘ — 1= (x — 1)(x*-!4 x'-24.---+ 1), we find that 2” — 1= (24 — 
1)(24¢-D 4 24-2) 4... 4.244 1). Consequently, we have (24 — 1) | (2” — 1). = 


We can now prove that there are infinitely many pseudoprimes to the base 2. 


Theorem 6.6. There are infinitely many pseudoprimes to the base 2. 


Proof. We will show that if n is an odd pseudoprime to the base 2, then m = 2” — Lis 
also an odd pseudoprime to the base 2. Because we have at least one odd pseudoprime 
to the base 2, namely, ng = 341, we will be able to construct infinitely many odd 
pseudoprimes to the base 2 by taking ng = 341 andnj,4, = 2”* — 1fork =0, 1, 2,3,.... 
These integers are all different, because ng < ny < Ng <--> <Ngp<Nyyy<---. 


To continue the proof, let n be an odd pseudoprime to the base 2, so that n is 
composite and 2”~! = 1 (mod n). Because n is composite, we have n = dt, with 1 < d < 
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n and 1 < t <n. We will show that m = 2” — 1 is also pseudoprime, by first showing 
that it is composite, and then by showing that 2”—! = 1 (mod m). 


To see that m is composite, we use Lemma 6.1 to note that (24 — 1) |”? -—-D= 
m. To show that 2”-!=1(mod m), note that because 2” =2 (mod n), there is an 
integer k with 2” — 2 = kn. Hence, gm—1 _. 92-2 — 9kn, By Lemma 6.1, it follows that 
m = (2” — 1) | (2 — 1) =2™-1~_ 1. Hence, 2”-! —1=0 (mod ™m), so that 2"-!= 
1 (mod m). We conclude that m is also a pseudoprime to the base 2. | 


If we want to know whether an integer n is prime, and we find that 2"-1= 1(modn), 
we know that n is either prime or a pseudoprime to the base 2. One follow-up approach is 
to test n with other bases. That is, we check to see whether b"~! = 1 (mod n) for various 
positive integers b. If we find any values of b with (b, n) = 1 and b"-! 4 1 (mod n), then 
we know that n is composite. 


Example6.11. We have seen that 341 is a pseudoprime to the base 2. Let us test whether 
341 is also a pseudoprime to the base 7. Because 


P = 343 =2 (mod 341) 
and 
2!9 — 1024 = 1 (mod 341), 


we have 
7340 = (73) 1137 = 91137 = Qn A 23 “7 
=8-7=56 £ 1 (mod 341). 


Hence, by the contrapositive of Fermat’s little theorem, we see that 341 is composite, 
because 7°40 # 1 (mod 341). < 


Carmichael Numbers 


Unfortunately, there are composite integers n that cannot be shown to be composite using 
the above approach, because there are integers that are pseudoprimes to every base, that 
is, there are composite integers n such that b"-! = 1 (mod n), for all b with (b, n) = 1. 
This leads to the following definition. 


Definition. A composite integer n that satisfies b"~! = 1 (mod n) for all positive in- 
tegers b with (b, n) = 1 is called a Carmichael number (after Robert Carmichael, who 
studied them in the early part of the twentieth century) or an absolute pseudoprime. 


Example 6.12. The integer 561 =3-11-17 is a Carmichael number. To see this, 
note that if (b, 561) = 1, then (b, 3) = (b, 11) = (b, 17) = 1. Hence, from Fermat’s 
little theorem, we have b? = 1 (mod 3), b!° = 1 (mod 11), and b!® = 1 (mod 17). Conse- 
quently, b>© — (b2)280 = 1 (mod 3), b5© = (b!)56 = 1 (mod 11), and b> = (516)35 = 
1 (mod 17). Therefore, by Corollary 4.9.1, b56 = | (mod 561) for all b with (b, n) = 1. 
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In 1912, Carmichael conjectured that there are infinitely many Carmichael numbers. 
It took 80 years to resolve this conjecture. In 1992, Alford, Granville, and Pomerance 
showed that Carmichael was correct.! Because of the complicated, nonelementary nature 
of their proof, we will not describe it here. However, we will prove one of the key 
ingredients, a theorem that can be used to find Carmichael numbers. 


Theorem 6.7. Ifn = qjq2 « . . @g, Where the q; are distinct primes that satisfy (q ; — 1) | 
(n — 1) forall j and k > 2, then n is a Carmichael number. 


Proof. Let b bea positive integer with(b, n) = 1. Then (b, q;) = lfor j = 1, 2,...,k, 
and hence, by Fermat’s little theorem, b?/ 121 (mod q p for j = 1, 2,..., k. Because 
(qj; - 1) | (n — 1) foreach integer j = 1, 2, ... , k, there are integers t; with t;(q; — 1) = 
n — 1. Hence, for each j, we know that b”"! = b'- 9) = 1 (mod q j). Therefore, by 
Corollary 4.9.1, we see that b"-! = 1 (mod n), and we conclude that n is a Carmichael 
number. = 


Example 6.13. Theorem 6.7 shows that 6601 = 7 - 23 - 41 is a Carmichael number, 
because 7, 23, and 41 are all prime, 6 = (7 — 1) | 6600, 22 = (23 — 1) | 6600, and 40 = 
(41 — 1) | 6600. < 


The converse of Theorem 6.7 is also true, that is, all Carmichael numbers are of the 
form 4192 --- qx, where the q; are distinct primes and (q; — 1) | (x — 1) for all j. We 
will prove this fact in Chapter 9. 


By the way, it has been shown that although there are only 43 Carmichael numbers 
not exceeding 10°, there are 105,212 of them not exceeding 101°. 


Miller’s Test 


Once the congruence b"-! = 1(modn), where n is an odd integer, has been verified, 
another possible approach is to consider the least positive residue of b@*—-)/2 modulo 
n. We note that if x = b@—)/2, then x2 = b"-! = 1 (mod n). If n is prime, by Theorem 


In particular, they showed that C(x), the number of Carmichael numbers not exceeding x, satisfies the 
inequality C(x) > x2/7 for sufficiently large mambers x. 


ROBERT DANIEL CARMICHAEL (1879-1967) was born in Guodwater, 
Alabama. He received his B.A. from Liaeville College in 1898 and his Ph.D. in 
1911 from Princeton University. Carmichael taught at Indiana University from 
1911 to 1915, and at the University of Illinois from 1915 until 1947. His thesis, 
written under the direction of G. D. Birkhoff, was considered the first significant 
American contribution to differential equations. Carmichael worlsed in a wide 
range of areas, including real analysis, differential equations, mathematical 
physics, group theory, and number theory. 
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4.12 we know that either x = 1 or x = —1 (mod 7). Consequently, once we have found 
that b"-! = 1(modn), we can check to see whether b—)/2 = +1 (mod n). If this 
congruence does not hold, then we know that n is composite. 


Example 6.14. Let b =5 and let n = 561, the smallest Carmichael number. We find 
that 50!—)/2 — 5280 — 67 (mod 561). Hence, 561 is composite. < 


To continue developing primality tests, we need the following definitions. 


Definition. Let 7 be an integer with n > 2 and n — 1= 2°t, where s is a nonnegative 
integer and ¢ is an odd positive integer. We say that n passes Miller’s test for the base b 


if either b’ = 1 (mod n) or bt =-] (mod n) for some j withO <j <s-—1. 

The following example shows that 2047 passes Miller’s test for the base 2. 
Example 6.15. Let n= 2047= 23-89. Then 22046 — (2!1)186 — (2048)186 = 
1 (mod 2047), so that 2047 is a pseudoprime to the base 2. Because 2046/2 — 21023 — 
(2!1)93 — (2048)93 = 1 (mod 2047), 2047 passes Miller’s test for the base 2. < 


We now show that if n is prime, then passes Miller’s test for all bases b withn J b. 


Theorem6.8. Ifnis prime and b isa positive integer withn / b, thenn passes Miller’s 
test for the base b. 


Proof. Let n — 1=2°t, where s is a nonnegative integer and ¢ is an odd positive 


integer. Let x, = pe-Y/ Pe pet, for k = 0, 1, 2,...,s5. Because n is prime, Fer- 
mat’s little theorem tells us that xp = b"-1=1 (mod n). By Theorem 4.12, because 
x? = (b"-D/?)? = xy = 1 (mod n), either x, = —1 (mod n) or x, = 1 (mod n). If x, = 
1(mod n), because x} = x, = 1(mod n), either x. = —1 (mod n) or x) = 1 (mod n). 
In general, if we have found that x9 =x, =x. =--- =x, =1(modn), with k <s, 
then, because ree = x, = 1 (mod n), we know that either x, , ; = —1 (mod 7) or x, ,,;= 
1 (mod n). 

Continuing this procedure for k = 1, 2, ..., s, we find that either x, = 1 (mod 7) or 
x, = —1(mod 7) for some integer k, with 0 < k < s. Hence, n passes Miller’s test for 
the base b. = 


If the positive integer n passes Miller’s test for the base b, then either b' = 1 (mod n) 
or b2”t = -1 (mod n) for some j with 0 < j <s — 1, wheren — 1 = 2°t and t is odd. 


In either case, we have b”-!=1(modn), because b"~! = (b”*)””’ for j = 
0, 1,2, ..., 5, so that a composite integer n that passes Miller’s test for the base b 
is automatically a pseudoprime to the base b. With this observation, we are led to the 
following definition. 


Definition. If is composite and passes Miller’s test for the base b, then we say n is a 
strong pseudoprime to the base b. 
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Example 6.16. By Example 6.15, we see that 2047 is a strong pseudoprime to the 
base 2. < 


Although strong pseudoprimes are exceedingly rare, there are still infinitely many 
of them. We demonstrate this for the base 2 with the following theorem. 


Theorem 6.9. There are infinitely many strong pseudoprimes to the base 2. 


Proof. We shall show that if n is a pseudoprime to the base 2, then N = 2” — lisa 
strong pseudoprime to the base 2. 


Let n be an odd integer that is a pseudoprime to the base 2. Hence, n is composite, 
and 2”! = 1 (mod n). From this congruence, we see that 2”—! — 1 = nk for some integer 
k; furthermore, k must be odd. We have 


N —1=2"-2=2(2"-!- 1) =2!nk; 
this is the factorization of N — 1 into an odd integer and a power of 2. 
We now note that 
2N—D/2 — ark — (2")* = 1 (mod N), 


because 2” = (2” — 1) +1=N-+1=1(mod WN). This demonstrates that N passes 
Miller’s test. 


In the proof of Lemma 6.1, we showed that if n is composite, then N = 2” — 1 
also is composite. Hence, N passes Miller’s test and is composite, so that N is a strong 
pseudoprime to the base 2. Because every pseudoprime n to the base 2 yields a strong 
pseudoprime 2” — 1 to the base 2, and because there are infinitely many pseudoprimes to 
the base 2, we conclude that there are infinitely many strong pseudoprimes to the base 2. 

a 


The following observations are useful in combination with Miller’s test for checking 
the primality of relatively small integers. The smallest odd strong pseudoprime to the base 
2 is 2047, so that if n < 2047, n is odd, and n passes Miller’s test to the base 2, then n 
is prime. Likewise, 1,373,653 is the smallest odd strong pseudoprime to both the bases 
2 and 3, giving us a primality test for integers less than 1,373,653. The smallest odd 
strong pseudoprime to the bases 2, 3, and 5 is 25,326,001, and the smallest odd strong 
pseudoprime to all the bases 2, 3, 5, and 7 is 3,215,031,751. Furthermore, there are no 
other strong pseudoprimes to all these bases that are less than 25 - 109. (The reader should 
verify these statements.) This leads us to a primality test for integers less than 25 - 107. 
An odd integer n is prime if n < 25- 10°, n passes Miller’s test for the bases 2, 3, 5, and 
7, and n 4 3,215,031,751. 


Computations show that there are only 101 integers less than 10!” that are strong 
pseudoprimes to the bases 2, 3, and 5 simultaneously. Only 9 of these are also strong 
pseudoprimes to the base 7, and none of these is a strong pseudoprime to the base 
11. The smallest strong pseudoprime to the bases 2, 3, 5, 7, and 11 simultaneously is 
2,152,302,898,747. Therefore, if an odd integer n is prime and n < 2,152,302,898,747, 
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then n is prime if it passes Miller’s test for the bases 2, 3, 5, 7, and 11. If we want to 
test even bigger integers for primality in this way, we can use the observation that no 
positive integer less than 341,550,071,728,321 is a strong pseudoprime to the bases 2, 
3, 5, 7, 11, 13, and 17. A positive odd integer not exceeding this number is prime if it 
passes Miller’s test for the seven primes, 2, 3, 5,7, 11, 13, and 17. 


There is no analogue to a Carmichael number for strong pseudoprimes. This is a 
consequence of the following theorem. 


Theorem 6.10. Ifn is an odd composite positive integer, then passes Miller’s test for 
at most (n — 1)/4 bases b with 1 <b<n-1. 


We prove Theorem 6.10 in Chapter 9. Note that Theorem 6.10 tells us that if n 
passes Miller’s tests for more than (nm — 1)/4 bases less than n, then n must be prime. 
However, this is a rather lengthy way to show that a positive integer n is prime, worse 
than performing trial divisions. Miller’s test does give an interesting and quick way of 
showing that an integer n is “probably prime.” To see this, take at random an integer b 
with 1 < b <n — 1(we will see how to make this “random” choice in Chapter 10). From 
Theorem 6.10, we see that if n is composite, the probability that n passes Miller’s test for 
the base D is less than 1/4. If we pick k different bases less than n and perform Miller’s 
tests for each of these bases, we are led to the following result. 


Theorem6.11. Rabin’s Probabilistic Primality Test. WLetn bea positive integer. Pick 
k different positive integers less than n and perform Miller’s test on n for each of these 
bases. If n is composite, the probability that n passes all k tests is less than (1/4)*. 


Let n be a composite positive integer. Using Rabin’s probabilistic primality test, if 
we pick 100 different integers at random between 1 and n and perform Miller’s test for 
each of these 100 bases, then the probability that n passes all the tests is less than 10-™, 
an extremely small number. In fact, it may be more likely that a computer error was made 
than that a composite integer passes all 100 tests. Using Rabin’s primality test does not 
definitely prove that an integer n that passes some large number of tests is prime, but 
it does give extremely strong, indeed almost overwhelming, evidence that the integer is 
prime. 


There is a famous conjecture in analytic number theory called the generalized 
Riemann hypothesis, which is a statement about the famous Riemann zeta function, 
named after the German mathematician Georg Friedrich Bernhard Riemann, which is 
discussed in Section 3.2. The following conjecture due to Eric Bach is a consequence of 
this hypothesis. 


Conjecture 6.1. For every composite positive integer n, there is a base b, with b < 
2(log n)?, such that n fails Miller’s test for the base b. | 


If this conjecture is true, as many number theorists believe, the following result 
provides a rapid primality test. 
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Theorem 6.12. If the generalized Riemann hypothesis is valid, then there is an algo- 
rithm to determine whether a positive integer n is prime using O ((log, n)>) bit operations. 


Proof. Letbbea positive integer less than n. To perform Miller’s test forthe base b onn 
takes O ((log, n)*) bit operations, because this test requires that we perform no more than 
log, n modular exponentiations, each using O ((log, b)”) bit operations. Assume that the 
generalized Riemann hypothesis is true. If n is composite, then by Conjecture 6.1, there 
is a base b with 1 < b < 2(log, n)* such that n fails Miller’s test for b. To discover this 
b requires less than O((log, n)>) - O((log, n)*) = O(log, n)>) bit operations. Hence, 
using O((log, n)>) bit operations, we can determine whether n is composite or prime. 

= 


The important point about Rabin’s probabilistic primality test and Theorem 6.12 
is that both results indicate that it is possible to check an integer n for primality using 
only O((log, n)*) bit operations, where k is a positive integer. (Also, the recent result of 
Agrawal, Kayal, and Saxena [AgKaSa02] shows that there is a deterministic test using 
O (dog, n)*) bit operations.) This contrasts strongly with the problem of factoring. 
The best algorithm known for factoring an integer requires a number of bit operations 
exponential in the square root of the logarithm of the number of bits in the integer being 
factored, whereas pnmality testing seems to require only a number of bit operations 
less than a polynomial in the number of bits of the integer tested. We capitalize on this 
difference by presenting a recently invented cipher system in Chapter 8. 


6.2 EXERCISES 


1, Show that 91 is a pseudoprime to the base 3. 
2. Show that 45 is a pseudoprime to the bases 17 and 19. 
3. Show that the even integer nm = 161,038 = 2-73-1103 satisfies the congruence 2” = 


2 (mod n). The integer 161,038 is the smallest even pseudoprime to the base 2. 


4. Show that every odd composite integer is a pseudoprime to both the base 1 and the base —1. 


iizagl 
\- 


Riemann was one of the most imaginative and creative mathematicians of all time. He made 
fundamental contributions to geometry, mathematical physics, and analysis. He wrote only one paper 
on number theory, which was eight pages long, but this paper has had ttemendous impact. Riemann 
died of tuberculosis at the early age of 39. 


sm GEORG FRIEDRICH BERNHARD RIEMANN (1826-1866), the son of a 

’ minister, was bom in Breselenz, Germany. His elementary education came from 
J his father, After completing his secondary education, he entered Gittingen Uni- 

3 versity to study theology. However, he also attended lectures on mathematics. 
After receiving the approval of his father to concentrate on mathematics, Rie- 
mann transfered to Berlin University, where he studied under several prominent 
mathematicians, including Dirichlet and Jacobi. He subsequently retumed to 
Gdttingen, where he obtained his Ph.D. 
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. Show that if n is an odd composite integer and n is a pseudoprime to the base a, then n is a 


pseudoprime to the base n — a. 


. Show that ifn = (a2? — 1)/(a? — 1), where a is an integer, a > 1, and p is an odd prime not 


dividing a(a? — 1), then n is a pseudoprime to the base a. Conclude that there are infinitely 
many pseudoprimes to any base a. (Hint: To establish that a"-1=1(modn), show that 
2p | (n — 1), and demonstrate that a2? = 1 (mod n).) 


7. Show that every composite Fermat number F,,, = 22" + 1is a pseudoprime to the base 2. 


8. Show that if p is prime and 2? — 1 is composite, then 2? — 1 is a pseudoprime to the base 2. 


9. Show that if is a pseudoprime to the bases a and b, then n is also a pseudoprime to the base 


10. 


11. 


12. 
13. 
14. 
15. 
16. 


17. 


18. 


19. 


20. 
21. 


ab. 


Suppose that a and n are relatively prime positive integers. Show that if n is a pseudoprime 
to the base a, then n is a pseudoprime to the base a, where a is an inverse of a modulo n. 


Show that if n is a pseudoprime to the base a, but not a pseudoprime to the base b, where 
(a, n) = (b, n) = 1, then n is not a pseudoprime to the base ab. 


Show that 25 is a strong pseudoprime to the base 7. 

Show that 1387 is a pseudoprime, but not a strong pseudoprime, to the base 2. 
Show that 1,373,653 is a strong pseudoprime to both bases 2 and 3. 

Show that 25,326,001 is a strong pseudoprime to bases 2, 3, and 5. 


Show that the following integers are Carmichael numbers. 


a) 2821 =7-13-31 e) 278,545 =5-17-29-113 
b) 10,585 =5- 29-73 f) 172,081 =7- 13-31-61 
c) 29,341 = 13-37-61 g) 564,651,361 = 43 - 3361 - 3907 


d) 314,821 = 13- 61-397 


Find a Carmichael number of the form 7 - 23 - q, where qg is an odd prime other than g = 41, 
or show that there are no others. 


a) Show that every integer of the form (6m + 1)(12m + 1)(18m + 1), where m is a positive 
integer such that 6m + 1, 12m + 1, and 18m + 1 are all primes, is a Carmichael number. 

b) Conclude from part (a) that 1729 = 7-13-19; 294,409 = 37-73 - 109; 56,052,361 = 
211-421-631; 118,901,521 = 271-541-811; and 172,947,529 = 307 - 613 - 919 are 
Carmichael numbers. 


The smallest Carmichael number with six prime factors is 5 - 19 - 23-29 - 37-137 = 321, 
197,185. Verify that this number is a Carmichael number. 


Show that if n is a Carmichael number, then n is square-free. 


Show that if 7 is a positive integer with n = 3 (mod 4), then Miller’s test takes O (logy n)3) 
bit operations. 


Computations and Explorations 


1. 
2. 


Determine for which positive integers n, n < 100, the integer n - 2” — 1 is prime. 


Find as many Carmichael numbers of the form (6m + 1)(12m + 1)(18m + 1), where 6m + 1, 
12m + 1, and 18m + 1 are all prime, as you can. 
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. Find as many even pseudoprimes to the base 2 that are the product of three primes as you 


can. Do you think that there are infinitely many? 


. The integers of the form 7 - 2” + 1, where 7 is a positive integer greater than 1, are called 


Cullen numbers. Can you find a prime Cullen number? 


Programming Projects 


1. 


Given a positive integer n, determine whether 7 satisfies the congruence b"—! = 1 (mod n), 
where 6 is a positive integer less than n; if it does, then 7 is either a prime or a pseudoprime 
to the base b. 


. Given a positive integer n, determine whether n passes Miller’s test to the base b; if it does, 


then 7 is either prime or a strong pseudoprime to the base b. 


. Perform a primality test for integers less than 25 - 10° based on Miller’s test for the bases 


2, 3, 5, and 7. (Use the remarks that follow Theorem 6.9.) 


. Perform a primality test for integers less than 2,152,302,898,747 based on Miller’s test for 


the bases 2, 3, 5, 7, and 11. (Use the remarks that follow Theorem 6.9.) 


. Performa primality test for integers less than 341,550,071,728,321 based on Miller’s test for 


the bases 2, 3, 5, 7, 11, 13, and 17. (Use the remarks that follow Theorem 6.9.) 


. Given an odd positive integer n, determine whether 7 passes Rabin’s probabilistic primality 


test. 


. Given a positive integer n, find all Carmichael numbers < n. 


Euler’s Theorem 


Fermat’s little theorem tells us how to work with certain congruences involving exponents 
when the modulus is a prime. How do we work with the corresponding congruences 
modulo a composite integer? 


For this purpose, we would like to establish a congruence analogous to that provided 
by Fermat’s little theorem for composite integers. As mentioned in Section 6.1, the great 
Swiss mathematician Leonhard Euler published a proof of Fermat’s little theorem in 
1736. In 1760, Euler managed to find a natural generalization of the congruence in 
Fermat’s little theorem that holds for composite integers. Before introducing this result, 
we need to define a special counting function (introduced by Euler) used in the theorem. 


Definition. Let be a positive integer. The Euler phi-function $(n) is defined to be 
the number of positive integers not exceeding n that are relatively prime ton. 


In Table 6.1, we display the values of @() for 1 <n < 12. The values of @(7) for 
1 <n < 100 are given in Table 2 of Appendix E. 


In Chapter 7, we study the Euler phi-function further. In this section, we use the phi- 
function to give an analogue of Fermat’s little theorem for composite moduli. To do this, 
we need to lay some groundwork. 
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Table 6.1 The values of Euler’s phi-function for 1 <n < 12. 


Definition. A reduced residue system modulo nis a set of @(n) integers such that each 
element of the set is relatively prime to n, and no two different elements of the set are 
congruent modulo n. 


Example 6.17. The set {1, 3, 5, 7} is a reduced residue system modulo 8. The set 
{—3, —1, 1, 3} is also such a set. < 


We will need the following theorem about reduced residue systems. 


Theorem 6.13. If 71,72, .. . , 7g¢,) is a reduced residue system modulo n, and if a@ is 
a positive integer with (a, n) = 1, then the set ar}, ar2, ..., Argim) is also a reduced 
residue system modulo n. 


Proof. To show that each integer ar; is relatively prime ton, we assume that (ar;, n) > 
1. Then, there is a prime divisor p of (ar ;, n). Hence, either p | a or p | r;. Thus, we have 
either p | a and p | n, or p| 7; and p|n. However, we cannot have both p |r; and p | n, 
because r; is a member of a reduced residue system modulo n, and both p | a and p|n 


LEONHARD EULER (1707-1783) was the son ofa minister from the vicinity 
of Basel, Switzerland, who, besides theology, had also studied mathematics. At 
13, Euler entered the University of Basel with the aim of pursuing a career in 
theology, as his father wished. At the university, Euler was tutored in mathemat- 
ics by Johann Bernoulli, of the famous Bernoulli family of mathematicians, and 
became friends with Johann’s sons Nicklaus and Daniel. His interest in math- 
ematics led him to abandon his plans to follow in his father’s footsteps. Euler 
obtained his master’s degree in philosophy at the age of 16. In 1727, Peter the 
Great invited Euler to join the Imperial Academy in St. Petersburg, at the insistence of Nicklaus and 
Daniel Bernoulli, who had entered the academy in 1725 when it was founded. Euler spent the years 
1727-1741 and 1766-1783 at the Imperial Academy. He spent the interval 1741-1766 at the Royal 
Academy of Berlin. Euler was incredibly prolific; he wrote more than 700 books and papers, and he 
left so much unpublished work that the Imperial Academy did not finish publication of Euler’s work 
for 47 years after his death. During his life, his papers accumulated so rapidly that he kept a pile of 
papers to be published for the academy. They published the top papers in the pile first, so that later 
results were published before results they superseded or depended on. Euler was blind for the last 
17 years of his life, but had a fantastic memory, so that his blindness did not deter his mathematical 
output. He also had 13 children, and was able to continue his research while a child or two bouaced 
on his knees. The publication of the collected works and letters of Euler, the Opera Omnia, by the 
Swiss Academy of Science will require more than 85 large volumes, of which 76 have already been 
published (as of late 1999). 
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cannot hold because (a, n) = 1. Hence, we can conclude that ar 7 and n are relatively 
prime for j = 1, 2,..., O(n). 


To demonstrate that no two ar '; are congruent modulo n, we assume that ar j= 


ar, (mod n), where j and k are distinct positive integers with 1< j < d(n) and1< 
k < o(n). Because (a, n) = 1, by Corollary 4.5.1 we see that r; =r, (mod n). This is a 


contradiction, because r; and r, come from the original set of reduced residues modulo 


n, so thatr; #r;, (mod n). | 
We illustrate the use of Theorem 6.13 with an example. 
Example 6.18. The set 1, 3, 5, 7 is a reduced residue system modulo 8. Because 


(3, 8) = 1, from Theorem 6.13, the set 3-1=3,3-3=9,3-5=15,3-7=21is alsoa 
reduced residue system modulo 8. < 


We now state Euler’s theorem. 


Theorem 6.14. Euler’s Theorem. If m is a positive integer and a is an integer with 
(a, m) = 1, then a?™) = 1 (mod m). 


Before we prove Euler’s theorem, we illustrate the idea behind the proof with an 
example. 


Example 6.19. We kmow that both the sets 1, 3,5, 7 and 3-1, 3-3,3-5,3-7 are 
reduced residue systems modulo 8. Hence, they have the same least positive residues 
modulo 8. Therefore, 


(3-1)-(3-3)-(-5)- (3-7) =1-3-5-7 (mod 8), 
and 
3¢.1.3-5-7=1-3-5-7 (mod 8). 
Because (1- 3-5-7, 8) = 1, we conclude that 


34 = 3® = | (mod 8). < 


We now use the ideas illustrated by this example to prove Euler’s theorem. 


Proof. Let ry}, r2,...,1¢(m) denote the reduced residue system made up of the pos- 
itive integers not exceeding m that are relatively prime to m. By Theorem 6.13, be- 
cause (a, m) = 1, the set arj, arz,..., ar gm) is also a reduced residue system mod- 
ulo m. Hence, the least positive residues of ar,, ar, ..., Arg(m) must be the integers 
r1, 12, -- + T¢(m)> in some order. Consequently, if we multiply together all terms in each 
of these reduced residue systems, we obtain 


ararz -* + Arg(m) ="1"2 ***Tg(m) (mod m). 
Thus, 


al ™ rr, eee rg m) => y1"q a ace 'o(m) (mod m). 
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Because (rjr--- T(m) m) = 1, from Corollary 4.5.1, we can conclude that ae) — 
1 (mod m). rT] 


We can use Euler’s theorem to find inverses modulo m. If a and m are relatively 
prime, we know that 


a -a?™-1 — ge) = 1 (mod m). 


Hence, a?(m)—1 is an inverse of a modulo m. 


Example 6.20. We know that 2?©)—! — 26-! = 25 = 32 = 5 (mod 9) is an inverse of 
2 modulo 9. < 


We can solve linear congruences using this observation. To solve ax = b (mod m), 
where (a, m) = 1, we multiply both sides of this congruence by a?)—! to obtain 


a?™ Igy =a? 1b (mod m). 


Therefore, the solutions are those integers x such that x = a?(™)—!b (mod m). 


Example 6.21. The solutions of 3x = 7 (mod 10) are given by x =3?09-1.7= 
33 - 7 =9 (mod 10), because $(10) = 4. < 


EXERCISES 


. Find a reduced residue system modulo each of the following integers. 


a)6 b)9 c)10 d)14 e)16 f)17 


. Find a reduced residue system modulo 2”, where m is a positive integer. 


. Show that if c), c2,..., Com) is a reduced residue system modulo m, where m is a positive 


integer with m # 2, then cj + cz + +++ + Cg qm) = 0 (mod m). 


. Show that if a and m are positive integers with (a, m) = (a — 1, m) = 1, then 1 +a+ a? + 


... £.a?™—! = 0 (mod m). 


. Find the last digit of the decimal expansion of 3! 

. Find the last digit of the decimal expansion of 799%”. 

. Use Euler’s theorem to find the least positive residue of 3!97-° modulo 35. 

. Show that if a is an integer such that a is not divisible by 3 or such that a is divisible by 9, 


then a’? = a (mod 63). 


. Show that if a is an integer relatively prime to 32,760, then a'? = 1 (mod 32,760). 
. Show that a?©) + 5%@ = 1 (mod ab), if a and b are relatively prime positive integers. 


. Solve each of the following linear congruences using Euler’s theorem. 


a) 5x =3(mod 14) b)4x=7(mod 15) c) 3x =5 (mod 16) 
Solve each of the following linear congruences using Euler’s theorem. 
a) 3x =11(mod 20) b) 10x =19(mod 21) c) 8x = 13 (mod 22) 


Suppose that n = p,;p2-:: py where p;, p2,..., Px are distinct odd primes. Show that 
a?@)+1 = gq (mod n). 
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14. 


15. 
16. 
17. 
18. 
19. 
20. 


21. 


22. 


23. 


Some Special Congruences 


Show that the solutions to the simultaneous system of congruences 
x =a, (mod m)) 


xX = a> (mod my) 


x =a, (modm,), 


where the m ; are pairwise relatively prime, are given by 


x= ame) + a,M3™) So a,M"") (mod M), 
where M =m, m---m, and M; = M/m, for j = 1, 2,...,7r. 
Use Exercise 14 to solve each of the systems of congruences in Exercise 4 of Section 4.3. 


Use Exercise 14 to solve the system of congruences in Exercise 5 of Section 4.3. 


Use Euler’s theorem to find the last digit in the decimal expansion of 7!°©, 


Use Euler’s theorem to find the last digit in the hexadecimal expansion of 5!000,000_ 
Find ¢(n) for the integers n with 13 < n < 20. 


Show that every positive integer relatively prime to 10 divides infinitely many repunits (see 
the preamble to Exercise 11 of Section 5.1). (Hint: Note that the n-digit repunit 111...11= 
(10” — 1)/9.) 


Show that every positive integer relatively prime to b divides infinitely many base b repunits 
(see the preamble to Exercise 15 of Section 5.1). 


Show that if m is a positive integer, m > 1, then a” =a™—?™) (mod m) for all positive 
integers a. 


Show that if there is an integer b with (b, n) = 1 such that n is not a pseudoprime to the base b, 
then n is a pseudoprime to less than or equal to ¢(n) different bases a with 1 < a <n, (Hint: 
Use Exercise 11 in Section 6.2. First show that the sets a), a), ..., a, and ba,, ba», ..., ba, 
have no common elements, where a, a, ..., a, are the bases less than n to which n is a 
pseudoprime.) 


Computations and Explorations 


1. 


2. 


Find ¢(n) for all integers n less than 1000. What conjectures can you make about the values 
of p(n)? 

Let P(n) = Ee (i). Investigate the value of ®(n)/n? for increasingly large values of n, 
such as n = 100, n = 1000, and n = 10,000. Can you make a conjecture about the limit of 
this ratio as n grows large without bound? 


Programming Projects 


1. 
2. 
3. 


Construct a reduced residue system modulo n for a given positive integer n. 
Solve linear congruences using Euler’s theorem. 


Find the solutions of a simultaneous system of linear congruences using Euler’s theorem and 
the Chinese remainder theorem (see Exercise 14). 


7.1 


Multiplicative Functions 


| n this chapter, we will study a special class of functions on the set of integers called 
multiplicative functions. A multiplicative function has the property that its value at 
an integer is the product of its values at each of the prime powers in its prime-power 
factorization. We will show that some important functions are multiplicative, including 
the number of divisors function, the sum of divisors function, and the Euler phi-function. 
We will use the fact that each of these functions is multiplicative to obtain a closed 
formula for the value of these functions at a positive integer n based on the prime-power 
factorization of n. 


Furthermore, we will study a special type of positive integer, called a perfect number, 
which is equal to the sum of its proper divisors. We will show that all even perfect numbers 
are generated by a special kind of prime, called a Mersenne prime, which is a prime that 
is 1 less than a power of 2. The quest for new Mersenne primes has been under way since 
ancient times, accelerated by the invention of powerful computers, and accelerated even 
more with the advent of the Internet. 


We will also show how the summatory function of an arithmetic function, that is, 
a function defined for all positive integers, can be used to obtain information about the 
function itself. The summatory function of a function f takes a value at n equal to the 
sum of the values of f at each of the positive divisors of n. The famous Mobius inversion 
formula shows how to obtain the values of f from the values of its summatory function. 


Finally, we will study arithmetic functions that count unrestricted and restricted 
partitions. By a partition, we mean a way to express a positive integer as a sum of positive 
integers where order does not matter; a partition is restricted when there are constraints 
on the terms in the sum. We will establish a variety of surprising identities between 
these arithmetic functions, and introduce many of the important concepts in the study of 
partitions. 


The Euler Phi-Function 


We will show in this section that the Euler phi-function has the property that its value 
at an integer n is the product of the values of the Euler phi-function at the prime powers 
that occur in the factorization of n. Functions with this property are called multiplicative; 
such functions arise throughout number theory. Using the fact that the Euler phi-function 
is multiplicative, we will derive a formula for its values based on prime factorizations. 
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Later in this chapter, we will study other multiplicative functions, including the number 
of divisors function and the sum of divisors function. 


We first present some definitions. 
Definition. An arithmetic function is a function that is defined for all positive integers. 


Throughout this chapter, we are interested in arithmetic functions that have a special 
property. 


Definition. An arithmetic function f is called multiplicative if f (mn) = f(m)f (n) 
whenever m and 7 are relatively prime positive integers. It is called completely multipli- 
cative if f (mn) = f (m) f (n) for all positive integers m and n. 


Example 7.1. The function f(n) = 1 for all m is completely multiplicative, and hence 
also multiplicative, because f(mn) = 1, f(m) = 1, and f(n) = 1, so that f(mn) = 
f(m)f(m). Similarly, the function g(n) =n is completely multiplicative, and hence 
multiplicative, since g(mn) = mn = g(m)g(n). < 


If f is a multiplicative function, then we can find a simple formula for f(n) given 
the prime-power factorization of n. This result is particularly useful, because it shows us 
how to find f (n) from the values of f(p;') fori = 1, 2,...,5, wheren = pj'p5?... ps 
is the prime-power factorization of n. 


Theorem 7.1. If f is a multiplicative function and ifn = Pt Py i is the prime- 
power factorization of the positive integer n, then f(n) = f( Pr) f( py -- f( Ds’): 


Proof. We will prove this theorem using mathematical induction on the number of 
different primes in the prime factorization of the integer n. If n has one prime in its 
prime-power factorization, then n = Pi for some prime py, and it follows that the result 
is trivially tue. 


Suppose that the theorem is true for all integers with k different primes in their 


prime-power factorization. Now suppose that n has k + 1 different primes in its prime- 


power factorization, say, n = p;'p5?--- py ae Because f is multiplicative and 


(pt! ps? --+ prt, Pyitl) = 1, we see that f(n) = Fries PF (Pg). By the 
inductive hypothesis, we know that f (P11 pars P3 pt) = ro" f (p>) f (p3) -- 

f(p,*). It follows that f(n) = f (py) f(p3) --- f (pth f (p,‘*). This completes the 
inductive proof. 7 


We now return to the Euler phi-function. We first consider its values at primes and 
then at prime powers. 


Theorem 7.2. If p is prime, then @(p) = p — 1. Conversely, if p is a positive integer 
with @(p) = p — 1, then p is prime. 


Proof. If p is prime, then every positive integer less than p is relatively prime to p. 
Because there are p — 1 such integers, we have ¢(p) = p — 1. Conversely, if p is not 
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prime, then p = 1 or p is composite. If p = 1, then @(p) ¥ p — 1 because ¢(1) = 1. If 
p is composite, then p has a divisor d with 1 < d < p, and, of course, p and d are not 


relatively prime. Because we know that at least one of the p — lintegers 1, 2,..., p — 1, 
namely, d, is not relatively prime to p, @(p) < p — 2. Hence, if d(p) = p — 1, then p 
must be prime. 7 


We now find the values of the phi-function at prime powers. 


Theorem 7.3. Let p be a prime and a a positive integer. Then (p%) = p* — p?!. 


Proof. The positive integers less than or equal to p® that are not relatively prime to p 
are those integers not exceeding p® that are divisible by p. These are the integers kp, 
where 1<k < pt}. Since there are exactly pe! such integers, there are p® — pt! 
integers less than p® that are relatively prime to p*. Hence, (p2) = p* — p?~!. = 


Example 7.2. Using Theorem 7.3, we find that #(5°) = 5° — 52 = 100, (219) = 
210 _ 99 — 512, and (112) = 11? — 11= 110. < 


To find a formula for ¢ (1), given the prime factorization of n, it suffices to show that 
@ is multiplicative. We illustrate the idea behind the proof with the following example. 


Example 7.3. Let m =4 andn = 9, so that mn = 36. We list the integers from 1 to 36 
in a rectangular chart, as shown in Figure 7.1. 


OO? ®©®1®® 3 


2 6 10 14 18 22 26 30 34 


> O@@OsO®” @®@ 


4 8 12 16 20 24 28 32 36 


Figure 7.1 Demonstrating that $ (36) = 6(4)@ (9). 


Neither the second nor the fourth row contains integers relatively prime to 36, since 
each element in these rows is not relatively prime to 4, and hence not relatively prime to 
36. We enclose the other two rows; each element of these rows is relatively prime to 4. 
Within each of these rows, there are 6 integers relatively prime to 9. We circle these; they 
are the 12 integers in the list relatively prime to 36. Hence, $(36) = 2-6= $(4)@(9). 

< 


We now state and prove the theorem that shows that ¢ is multiplicative. 


Theorem 7.4. Let m and n be relatively prime positive integers. Then @(mn) = 
$(m)o(n). 


Proof. We display the positive integers not exceeding mn in the following way. 
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1 m+1 2m4+1... rx—lm4+1 
2 m+2 2m4+2 ... (n—1)m4+2 
3 m+3 2m+3 ... (n-—Dm+3 
r m+r 2m+r ... (n-—lIm+r 
m 2m 3m... mn 


Now, suppose that 7 is a positive integer not exceeding m, and suppose that (m, r) = 
d > 1. Then no number in the rth row is relatively prime to mn, because any element of 
this row is of the form km + r, where k is an integer with 1< k <n — 1, andd|(km+yr), 
because d | m andd |r. 


Consequently, to find those integers in the display that are relatively prime to mn, 
we need to look at the rth row only if (m, r) = 1. If (m, r) = land 1<r <m, we must 
determine how many integers in this row are relatively prime to mn. The elements in this 
row arer,m+r,2m+r,...,(n— 1)m +r. Because (r, m) = 1, each of these integers 
is relatively prime to m. By Theorem 4.6 the n integers in the rth row form a complete 
system of residues modulo n. Hence, exactly ¢(n) of these integers are relatively prime 
to n. Because these ¢(n) integers are also relatively prime to m, they are relatively prime 
to mn. 


Because there are ¢ (m) rows, each containing ¢(n) integers relatively prime to mn, 
we can conclude that (mn) = d(m)¢(n). rT 


Combining Theorems 7.3 and 7.4, we derive the following formula for @(n). 


Theorem 7.5. Letn = Py p> tee Pe be the prime-power factorization of the positive 


integer n. Then 
o(n)=n (1-=) (1- +) dius (1-=) ; 
P\ P2 Pk 


Proof. Because ¢ is multiplicative, Theorem 7.1 tells us that 


(1) = 6(P1')9(P7’) >> - 9 (P,")- 


In addition, by Theorem 7.3, we know that 
( 44) = aj jl = aj 1 i 
@ Pj )=P; — Pj =P; ree 


for j = 1, 2,..., k. Hence, 
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oiny= a (1-2) of (1-4) .-- 98 (1-4) 
Pi P2 Pk 
1 1 1 
a, ay ay 
mel ey 
ani P Po Pe 
=n(1-+) (1-—).-(1-=), 
Pj P2 Px 


This is the desired formula for ¢(n). | 


We illustrate the use of Theorem 7.5 by the following example. 


Example 7.4. Using Theorem 7.5, we note that 


(100) = $(275) = 100 (1 = 5) (1 = :) = 40 
and 
(720) = (24375) = 720 (1 = 5) (1 = x) (1 = :) = 192. < 
2 3 5 


Note that @(n) is even except when n = 2, as the following theorem shows. 


Theorem 7.6. Let n be an integer greater than 2. Then ¢(7) is even. 
Proof. Suppose that n = Pi py . ++ ps* is the prime-power factorization of n. Because 
¢ is multiplicative, it follows that d(n) = Vja1 o(p 7 ). By Theorem 7.3, we know that 
j j—1 Tor : : ‘ 
o( P;' j= pi! (p; — 1). We can see that ( p;! ) is even if p; is an odd prime, because 
—1 
then p p= lis even, orif p pu2 anda 7 >i, because then P;! is even. Given that n > 2, 


at least one of these two conditions holds, so that $( P;! ) is even for at least one integer 
j, 1< j <.s. We conclude that ¢(n) is even. a 


Let f be an arithmetic function. Then 
Fn) =)> fd) 
d\n 


represents the sum of the values of f at all the positive divisors of n. The function F is 
called the summatory function of f. 


Example 7.5. If f is an arithmetic function with summatory function F’, then 
F(12) =) fM=fO+/AQ+f(AO+f@M+ FO + fQ2). 
d\12 

For instance, if f(d) = d? and F is the summatory function of f, then F(12) = 210, 
because 

yo =P 427434474674 127 

d\12 

=1+4+9+4 16+ 364 144 = 210. < 
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The following result, which states that 7 is the sum of the values of the phi-function 
at all the positive divisors of 7, will also be useful in the sequel. It says that the summatory 
function of #(7) is the identity function, that is, the function whose value at 7 is just n. 


Theorem 7.7. Let be a positive integer. Then 


>> ¢(d) =n. 


dln 


Proof. We split the set of integers from 1 to n into classes. Put the integer m into the 
class C, if the greatest common divisor of m and n is d. We see that m is in Cg, that is, 
(m, n) = d, if and only if (m/d, n/d) = 1. Hence, the number of integers in Cy is the 
number of positive integers not exceeding n/d that are relatively prime to the integer 
n/d. From this observation, we see that there are ¢(n/d) integers in Cy. Because we 
divided the integers 1 to n into disjoint classes and each integer is in exactly one class, n 
is the sum of the numbers of elements in the different classes. Consequently, we see that 


= » o(n/d). 
d\n 
As d runs through the positive integers that divide 1, n/d also runs through these divisors, 
so that 
n=) $(n/d) =) | 9(d). 
d\n d\n 
This proves the theorem. | 


Example 7.6. We illustrate the proof of Theorem 7.7 when n = 18. The integers from 
1 to 18 can be split into classes Cg, where d | 18 such that the class C, contains those 
integers m with (m, 18) =d. We have 

C, = {1, 5, 7, 11, 13, 17} Ce = {6, 12} 

Cy = {2, 4, 8, 10, 14, 16} Co = {9} 

C3 = {3, 15} Cig = {18}. 


We see that the class C, contains $(18/d) integers, as the six classes contain 
(18) = 6, (9) = 6, (6) = 2, (3) = 2, (2) = 1, and ¢(1) = 1 integers, respectively. 
We note that 18 = @(18) + ¢(9) + ¢(6) + (3) + (2) + g() = vais o(d). < 


A useful tool for finding all positive integers n with @(n) = k, where k is a positive 
integer, is the equation ¢ (n) = Ths P;' = Pp; — 1), where the prime-power factorization 
ofnisn = Beer p;'. This is illustrated in the following example. 


Example 7.7. What are the solutions to the equation ¢(n) = 8, where n is a positive 
. . . . . Q\ aq aK 
integer? Suppose that the prime-power factorization of n isn = p,'p,”-- + p,. Because 


k 
on) =[] vj? (7) -D. 


j=l 


7.1 
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the equation ¢(n) = 8 implies that no prime exceeding 9 divides n (otherwise @(n) > 
pj-1> 8). Furthermore, 7 cannot divide n because if it did, 7 — 1 = 6 would be a factor 
of #(n). It follows that n = 2°3°5°, where a, b, and c are nonnegative integers. We can 
also conclude that b = 0 or b = 1 and that c = 0 orc = 1; otherwise, 3 or 5 would divide 


p(n) = 8. 


To find all solutions, we need only consider four cases. When b = c = 0, we have 
n = 27, where a > 1. This implies that ¢ (n) = 22-1 which means that a = 4 andn = 16. 
When b = Oandc = 1, we haven = 2¢ - 5, wherea > 1. This implies that @(n) = 22-! - 4, 
soa = 2 andn = 20. Whenb = landc = 0, we haven = 2% -3, wherea > 1. This implies 
that p(n) = 22-!.2 = 2%, soa = 3 andn = 24. Finally, when b = 1 and c = 1, we have 
n = 2° -3.- 5. Weneed to consider the case where a = 0, as well as the case where a > 1. 
When a = 0, we have n = 15, which is a solution because (15) = 8. When a > 1, we 
have o(n) = 2°-!.2.4 = 22+, This means that a = 1 and n = 30. Putting everything 
together, we see that all the solutions to @(n) = 8 aren = 15, 16, 20, 24, and 30. < 


EXERCISES 


. Determine whether each of the following arithmetic functions is completely multiplicative. 


Prove your answers. 


a) f(n) =0 d) f(n) =logn g) f(y)=n+1 
b) f(n) =2 e) f(n) =n? h) f(n) =n" 
c) f(n) =n/2 f) f(n) =n! i) f(n)= Jn 

. Find the value of the Euler phi-function at each of these integers. 
a) 100 c) 1001 e) 10! 
b) 256 d) 2-3-5-7-11-13 f) 20! 


. Show that (5186) = $(5187) = ¢(5188). 


. Find all positive integers n such that ¢(7) has each of these values. Be sure to prove that you 


have found all solutions. 
a) 1 b) 2 c)3 d) 4 


. Find all positive integers n such that #(n) = 6. Be sure to prove that you have found all 


solutions. 


. Find all positive integers n such that @(n) = 12. Be sure to prove that you have found all 


solutions. 


. Find all positive integers n such that ¢(n) = 24. Be sure to prove that you have found all 


solutions. 


8. Show that there is no positive integer such that ¢(n) = 14. 


9. Can you find a rule involving the Euler phi-function for producing the terms of the sequence 


10. 


11. 


1, 2, 2, 4, 4, 4, 6, 8,6, ...? 


Can you find a rule involving the Euler phi-function for producing the terms of the sequence 
2, 3, 0, 4, 0, 4, 0,5, 0, ...? 


For which positive integers n does ¢ (3n) = 36(n)? 
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12. 
13. 
14. 
15. 


16. 


17. 
18. 
19. 
20. 


21. 


22. 
23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 
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For which positive integers n is @(n) divisible by 4? 
For which positive integers n is #(n) equal to n/2? 
For which positive integers n does ¢(n) | n? 

Show that if 7 is a positive integer, then 


o(n) ifn is odd; 
26(n) ifn is even. 


o(2n) = 


Show that if 7 is a positive integer having k distinct odd prime divisors, then ¢ (7) is divisible 
by 2¢. 

For which positive integers n is #(n) a power of 2? 

Show that if 7 is an odd integer, then ¢(4n) = 2¢(n). 

Show that if n = 2@(n) where n is a positive integer, then n = 2/ for some positive integer j. 
Let p be prime. Show that p J} n, where n is a positive integer, if and only if d(mp) = 
(p — Nota). 

Show that if m and n are positive integers and (m, n) = p, where p is prime, then (mn) = 
po (m)o(n)/(p — 1). 

Show that if m and k are positive integers, then @(m*) = m*—!g(m). 


Show that if a and b are positive integers, then 


(ab) = (a, b)b(a)o(b)/$(G, b)). 
Conclude that ¢ (ab) > ¢(a)¢(b) when (a, b) > 1. 
Find the least positive integer n such that the following hold. 


a) #(n) > 100 c) #(n) > 10,000 
b) @(n) > 1000 d) (n) > 100,000 


Use the Euler phi-function to show that there are infinitely many primes. (Hint: Assume there 
are only a finite number of primes pj, ..., pz. Consider the value of the Euler phi-function 
at the product of these primes.) 


Show that if the equation @(n) = k, where k is a positive integer, has exactly one solution n, 
then 36 | x. 


Show that the equation ¢(n) = k, where k is a positive integer, has finitely many solutions in 
integers n whenever k is a positive integer. 


Show that if p is prime, 27p + 1 is composite fora = 1, 2,...,r, and p is not a Fermat 
prime, where r is a positive integer, then ¢(n) = 2’ p has no solution. 


Show that there are infinitely many positive integers k such that the equation @(n) =k 
has exactly two solutions, where n is a positive integer. (Hint: Take k = 2 - 3°/+!, where 
he eres 


Show that if n is a positive integer with n 4 2 andn 46, then d(n) > /n. 


Show that if n is a composite positive integer and ¢(n) | n — 1, then n is square-free and is 
the product of at least three distinct primes. 


Show that if m and n are positive integers with m | n, then @(m) | d(n). 
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* 33. Prove Theorem 7.5, using the principle of inclusion-exclusion (see Exercise 16 of Appen- 
dix B). 


34. Show that a positive integer n is composite if and only if @(n) <n — /n. 


35. Let n be a positive integer. Define the sequence of positive integers nj, nz, n3, . . . recursively 
by n, = $(n) and nz,, = o(n,) for k = 1, 2, 3, .... Show that there is a positive integer r 
such that n, = 1. 


A multiplicative function is called strongly multiplicative if and only if f (p*) = f (p) for every 
prime p and every positive integer k. 


36. Show that f(n) = @(n)/n is astrongly multiplicative function. 


Two arithmetic functions f and g may be multiplied using the Dirichlet product, which is defined 
by 


(f *g)(n)= >> fd)g(n/d). 


d|n 
37. Show that f*g=gx f. 
38. Show that (f * g)*h=f *(g*h). 
We define the 1 function by 
ee) (eee ee 
un) ={ 4 ifn > 1. 


39. a) Show that: is a multiplicative function. 
b) Show that. * f = f * «= f for all arithmetic functions f. 


40. The arithmetic function g is said to be the inverse of the arithmetic function f if f * g= 
g * f = . Show that the arithmetic function f has an inverse if and only if f(1) 4 0. Show 
that if f has an inverse it is unique. (Hint: When f (1) 40, find the inverse f—! of f by 
calculating f~'(n) recursively, using the fact that 1(n) = )°4,, f(d)f~'(n/d).) 


41. Show that if f and g are multiplicative functions, then the Dirichlet product f * g is also 
multiplicative. 


42. Show that if f and g are arithmetic functions, F = f * g, and h is the Dirichlet inverse of g, 
then f = F «h. 


a, We define Liouville’s function X(n), named after French mathematician Joseph Liouville, by 
A(1) = 1, and for n > 1, A(n) = (—1)%1+2+""'+4m, where the prime-power factorization of n is 


n= pips +: am 

43. Find A(n) for each of the following values of n. 
a) 12 c) 210 e) 1001 g) 20! 
b) 20 d) 1000 f) 10! 


44. Show that A(n) is completely multiplicative. 


45. Show that if n is a positive integer, then >> ain 4(d) equals 0 if n is not a perfect square, and 
equals 1 if n is a perfect square. 
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46. Show that if f and g are multiplicative functions, then fg is also multiplicative, where 
(fg)(n) = f(n)g(n) for every positive integer n. 


47. Show that if f and g are completely multiplicative functions, then fg is also completely 


multiplicative. 
48. Show that if f is completely multiplicative, then f ae FS (pi) FS (pz) - - - f (Pm), where 
the prime-power factorization of 7 isn = Pi ‘Dy’: pon 


A function f that satisfies the equation f (mn) = f(m) + fm) for all relatively prime positive 
integers m and 7 is called additive, and if the above equation holds for all positive integers m and 
n, f is called completely additive. 


49. Show that the finction f(n) = log n is completely additive. 


The function (7) is the function that denotes the number of distinct prime factors of the positive 
integer 7. 
$0. Find «w(n) for each of the following integers. 
a) 1 b) 2 c) 20 d) 84 e) 128 
$1. Find w(n) for each of the following integers. 
a) 12 b) 30 c) 32 d) 10! e) 20! f) 50! 


He had a teaching load of around 40 hours a week at several different institutions. Some of his 
less able students complained that he lectured at too high a level. In 1836, Liouville founded the 
Journal de Mathématigues Pures et Appliquées, which played an important role in French mathematics 
in the nineteenth century. In 1837, he was appointed to lecture at the Collége de France, and the 
following year he was appointed Professor at the Ecole Polytechnique. Besides his academic interests, 
Liouville was also involved in politics. He was elected to Constituting Assembly in 1848 as a moderate 
cepublican, but lost in the election of 1849, embittcring him. Liouville was appointed to a chair at the 
Collége de France in 1851, and the chair of mechanics at the Faculté des Sciences in 1857. Around 
this time, his heavy teaching load began to take its toll. Liouville was a perfectionist and was unhappy 
when he could not devote sufficient time to his lectures. 


astronomy, and many areas of pure mathematics. He was the first person to provide an explicit example 
of a transcendental number. He is also known today for what is now called Sturm-Liouville theory, used 
in the solution of integral equations, and he made important contributions to differential geometry. 
His total output exceeds 400 papers in the mathematical sciences, with nearly half of those in number 
theory alone. 


JOSEPH LIOUVILLE (1809-1882), born in Saint-Omer, France, was the 
son of a captain in Napoleon’s army. He studied mathematics at the Collége 
St. Louis in Paris, and in 1825 he enrolled in the Ecole Polytechnique; after 
graduating, he entered the Ecole des Ponts et Chaussées (School of Bridges 
and Roads). Health problems while working on engineering projects and his 
interest in theoretical topics couvinced him to pursue an academic career. He 
left the Ecole des Ponts et Chaussées in 1830, but during his time there be wrote 
papers on electrodynamics, the theory of heat, and partial differential equations. 
Liouville’s first academic appointment was as an assistant at the Ecole Polytechnique in 1831. 


C 


Liouville’s work covered many diverse areas of mathematics, including mathematical physics, 
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52. Show that w(n) is additive, but not completely additive. 
53. Show that if f is an additive function and g(n) = 2/™, then g is multiplicative. 


54. Show that the function n* is completely multiplicative for every real number k. 


Computations and Explorations 


1. Find ¢(n) when n takes each of the following values. 
a) 185,888,434,028 b) 1,111,111,111,111 

2. Find the number of iterations of the Euler phi-function required to reach 1, starting with each 
of the integers in Computation 1. 

3. Find the largest integer n such that ¢(n) < k for each of the following values of k. 
a) 1,000,000 b) 10,000,000 

4. Find as many positive integers n as you can, such that ¢(n) = @(n + 1). Can you formulate 
any conjectures based on the evidence that you have found? 


5. Can you find a positive integer n other than 5186 such that ¢(n) = d(n + 1) = b(n + 2)? 
Can you find four consecutive positive integers n,n + 1,n +2, n +3, such that d(n) = 
go(n+1=o(n+ 2) =o(n + 3)? 


6. An open conjecture of D. H. Lehmer asserts that n is prime if ¢(m) divides n — 1. Explore 
the truth of this conjecture. 


7. An open conjecture of Carmichael asserts that for every positive integer n there is a positive 
integer m such that @(m) = ¢(n). Gather as much evidence as possible for this conjecture. 


Programming Projects 


1. Given a positive integer n, find the value of ¢(n). 


2. Given a positive integer n, find the number of iterations of the phi-function, starting with n, 
required to reach 1. (This is the integer 7 in Exercise 35.) 


3. Given a positive integer k, find the number of solutions of ¢(n) = k. 


7.2 The Sum and Number of Divisors 


As we mentioned in Section 7.1, the number of divisors and the sum of divisors are both 
multiplicative functions. We will show that these functions are multiplicative, and will 
derive formulas for their values at a positive integer n from the prime factorization of n. 


Definition. The sum of divisors function, denoted by co, is defined by setting o (n) equal 
to the sum of all the positive divisors of n. 


In Table 7.1, we give o(n) for 1<n < 12. The values of o(n) for 1<n < 100 are 
given in Table 2 of Appendix E. (These values can also be computed using Maple or 
Mathematica.) 
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n 1 Deo Bs |) AS | 6 a. 8 9 10 11 12 | 


a(n) 1 3 | 4)7 | 6 12 | 8 15 13 18 12 | 28 | 


Table 7.1 The sum of the divisors for 1<n < 12. 


Definition. The number of divisors function, denoted by T, is defined by setting t(n) 
equal to the number of positive divisors of n. 


In Table 7.2, we give t(n) for 1 <n < 12. The values of t(n) for 1 <n < 100 are 
given in Table 2 of Appendix E. (These values can also be computed using Maple or 
Mathematica.) 


Note that we can express o(n) and t(7) in summation notation. It is simple to see 
that 


o(n)= od 


dln 


and 


t(n)= 01. 


dln 


To prove that o and t are multiplicative, we use the following theorem. 


Theorem 7.8. If f is a multiplicative function, then the summatory function of f, 
namely, F(n) = >> a\n J (d), is also multiplicative. 


Before we prove the theorem, we illustrate the idea behind its proof with the 
following example. Let f be a multiplicative function, and let F(n) = Dodin fi (d). We 
will show that F (60) = F(4)F (15). Each of the divisors of 60 may be written as the 
product of a divisor of 4 and a divisor of 15 in the following way: 1=1-1,2=2-1, 
3=1-3,4=4-1,5=1-5, 6=2-3, 10=2-5, 12=4-3, 15=1-15, 20=4-5, 
30=2- 15,60 =4- 15 (ineach product, the first factor is the divisor of 4, and the second 
is the divisor of 15). Hence, 


n 1 2/3 ;)4)5 | 6) 7 8 | 9 10 11 12 


[ee || 222 | Baa (2 |e) a | aes 


Table 7.2 The number of divisors for 1<n < 12. 
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F(60) = f() + f(2) + FB) + FA + FO) + FO + FCO) + f(12) 
+ f(15) + f(20) + f(30) + f (60) 
=fQd-D+f2-D+f0-3)+f4-D+f0-5)+ f@-3) 
+f(2-5)+ f(4-3)+ f(l- 15) + f(4-5) + f(2- 15) + f(4- 15) 
=fOFM + f@DFM + FOFO + fMFM + FMF) 
+ fQDFB + FDFS) + fMFO + fDOFAS) + (HFS) 
+ f(2) FS) + f(4) FCS) 
= (f+ f2)+ fFA)NFM + FB) + FG) + FAS) 
= F(4)F (15). 


We now prove Theorem 7.8 using the idea illustrated by the example. 


Proof. To show that F is a multiplicative function, we must show that if m and n 
are relatively prime positive integers, then F (mn) = F(m)F(n). So let us assume that 
(m,n) = 1. We have 


F(mn) = ) 7 f(@). 


d|mn 


By Lemma 3.7, because (m, n) = 1, each divisor of mn can be written uniquely as the 
product of relatively prime divisors d, of m and d, of n, and each pair of divisors d, of 
m and d, of n corresponds to a divisor d = dd, of mn. Hence, we can write 


F(mn) = ) f (diay). 
d,|m 
d\n 


Because f is multiplicative, and (d;, d,) = 1, we see that 


F(mn) = )> f (d:) f da) 


d,|m 
d\n 


=) f(a) D> fa) 
d\|m d,|n 
= F(m)F(n). = 


We can now use Theorem 7.8 to show that o and t are multiplicative. 
Corollary 7.8.1. The sum of divisors function o and the number of divisors function 
T are multiplicative functions. 


Proof. Let f(n) =n and g(n) = 1. Both f and g are multiplicative. By Theorem 7.8, 
we see that 0(n) = walk f(d) and t(n) = ah g(d) are multiplicative. = 


Now that we know that o and t are multiplicative, we can derive formulas for their 
values based on prime factorizations. First, we find formulas for o(m) and t(n) when n 
is the power of a prime. 
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Lemma 7.1. Let p be prime and a a positive integer. Then 


a 2 a puti_-4 
op) =I pp bs sep akan ae gh 
p- 


and 

t(p*)=at+1. 
Proof. The divisors of p% are 1, p, p*,..., p*~!, p*. Consequently, p® has exactly 
a + 1 divisors, so that t(p*) = a + 1. Also, we note that o(p*) =1+ p+ p?+---+ 
pt 1+ pt= ea, using the formula in Example 1.15 for the sum of terms of a 
geometric progression. 7 


Example 7.8. When we apply Lemma 7.1 with p = 5 and a = 3, we find that o (5°) = 
145457453 = Sa! = 156 and 1(5%) =14+3=4. 4 


Lemma 7.1 and Corollary 7.8.1 lead to the following formulas. 


Theorem 7.9. Let the positive integer n have prime factorization n = Pi py ites 
Then 
a;t+1 
jp he 
1-1 pal peels a ppl 
and 
s 
t(n) = (a; + 1)(ay + 1)--- (@, +1) =] @j +d. 
j=l 
Proof. Because botho and t are multiplicative, we see that o(n) = o( Py Py ree a) 


a; _a2 


=0(p;')o(p’) ---o(ps*) and t(n) = t(py'ps” - - + ps°) = t(py')t(pQ) +++ T(Ds"). 
Inserting the values for o ( P;') and t( P;') found in Lemma 7.1, we obtain the desired 
formulas. | 


We illustrate how to use Theorem 7.9 with the following example. 


Example 7.9. Using Theorem 7.9, we find 


1 (200) = t(2°5*) = 3+ 1)(2 + 1) = 12. 


Similarly, we have 


2 
720) = 0(2' -3*- 5) = ——_ - ——  . — — =31- 13-6 = 2418, 
a aa a ar ae 


1(2* 37.5) =(44+ )(2+ D(14 D =30. < 
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EXERCISES 
. Find the sum of the positive integer divisors of each of these integers. 
a) 35 d) 2100 g) 10! 
b) 196 e)2-3-5-7-11 h) 20! 
c) 1000 f) 2534537211 
. Find the number of positive integer divisors of each of these integers. 
a) 36 c) 144 e) 2-37-59. 74.115. 134. 175- 195 
b) 99 d)2-3-5-7-11-13-17.19 f) 20! 


. Which positive integers have an odd number of positive divisors? 


4. For which positive integers n is the sum of divisors of n odd? 


. Find all positive integers n with o (n) equal to each of these integers. 


a) 12 c) 24 e) 52 
b) 18 d) 48 f) 84 
. Find the smallest positive integer n with t(n) equal to each of these integers. 
a) 1 c)3 e) 14 
b)2 d) 6 f) 100 


7. Show that if k > 1is an integer, then the equation t(n) = k has infinitely many solutions. 


8. Which positive integers have exactly two positive divisors? 


9. Which positive integers have exactly three positive divisors? 


. Which positive integers have exactly four positive divisors? 

What is the product of the positive divisors of a positive integer n? 

. Show that the equation o (n) = k has at most a finite number of solutions when k is a positive 
integer. 

. For each of the following sequences, can you find a rule for producing the terms of the 
sequence that involves the t and/or the o function? 

a) 3, 7, 12, 15, 18, 28, 24, 31,... c) 1, 2, 4, 6, 16, 12, 64, 24, 36, 48,... 

b) 0, 1, 2, 4, 4, 8,6, 11,... d) 1,0, 1, 1,.0,-1;.1, 1.0, 0,.0,2,.1, 4.5 

For each of the following sequences, can you find a rule for producing the terms of the 
sequence that involves the t and/or the o function? 

a) 2, 5, 6, 10, 8, 16, 10, 19, 16, 22,... 

b) 1, 4, 6, 8, 13, 12, 14, 24, 18, ... 

c) 6, 8, 10, 14, 15, 21, 22, 26, 27, 33, 34, 35, ... 

d) 1, 2,2,.2, 3, 2, 2,4, 2,24, 2.3) << 


A positive integer n, n > 1, is highly composite, a concept introduced by the famous Indian 
mathematician Srinivasa Ramanujan, if t(m) < t(n) for all integers m with 1 < m <n. 


15. Find the first six highly composite positive integers. 


16. Show that if n is a highly composite positive integer and m is a positive integer with 


t(m) > t(n), then there exists a highly composite integer k such that n < k < m. Conclude 
that there are infinitely many highly composite integers. 
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17. Show that ifm > 1, there exists a highly composite number k such that n < k < 2n. Use this to 
provide an upper bound on the mth highly composite number, where m is a positive integer. 


18. Show that if 7 is a highly composite positive integer, there exists a positive integer k such 
that 1 = 271372543 ... Py where p, is the kth prime and a, >a, >--->a,>1 


SRINIVASA RAMANUJAN (1887-1920) was born and raised in southem 
India, near Madras. His father was a clerk in a cloth shop and his mother 
contributed to the family income by singing at a local temple. Ramanujan 
studied at a local English language school, displaying a talent in mathematics. 
At 13, he mastered a textbook used by college students; when he was 15, 
a university student lent him a copy of Synopsis of Pure Mathematics, and 
Ramanujan decided to work out the more than 6000 results in this book. He 
graduated from high school in 1904, winning a scholarship to the University of 
Madras. Enrolling in a fine arts curriculum, he neglected subjects other than mathematics and lost his 
scholarship. During this time, he filled his notebooks with original writings, sometimes rediscovering 
already published work, and at other times making new discoveries. 

Lacking a university degree, Ramanujan found it difficult to land a decent job. To survive, he 
depended on the good will of friends. He tutored students, but his unconventional ways of thinking 
and failure to stick to the syllabus caused problems. He was married in 1909 in an arranged mamage 
to a woman who was 13 years old. Needing to support himself and his wife, he moved to Madras 
looking for a job. He showed his notebooks to potential cmploycrs, but his writings bewildered them. 
However, a professor at the Presidency College recognized his genius and supported him, and in 1912 
he found work as an accounts clerk, which earned him a small salary. 

Ramanujan continued his mathematical investigations, publishing his first paper in 1910 in an 
Indian journal. Realizing that his work was beyond that of Indian mathematicians, he decided to write 
to leading English mathematicians. Although the first mathematicians tamed down his request for 
help, G. H. Hardy arranged a scholarship for Ramanujan, bringing him to Eagland in 1914. Hardy 
initially was inclined to tum Ramanujan down, but the mathematical results Ramanujan stated without 
proof in his letter puzzled Hardy. He examined Ramanujan’s writings with the aid of his collaborator, 
J. E. Litdewood. They decided that Ramanujan was probably a genius, as his statements “could only be 
written down by a mathematician of the highest class; they must be true, because if they were not true, 
no one would have the imagination to invent them.” Hardy personally tutored Ramanujan and they 
collaborated for five years, proving significant theorems about the partitions of integers. During this 
time, Ramanujan made important contributions to number theory, and worked on elliptic functions, 
infinite series, and continued fractions. Ramanujan had amazing insight involving certain types of 
functions and series, but his purported theorems on prime nuinbers were often wrong, illustrating his 
vague idea of what makes up a correct proof. 

Ramanujan was one of the youngest members ever appointed a Fellow of the Royal Society. Un- 
fortunately, in 1917, he became extremely ill. Although it was once thought he contracted tuberculosis, 
it is now thought that he suffered from a vitamin deficiency brought on by his strict vegetarianism 
and shortages in wartime England. He retumed to India in 1919 and continued his mathematical work 
even while confined to bed. He was highly religious and thought that his mathematical talent came 
from his family deity, Namaigiri. He said that “‘an equation for me has no meaning unless it expresses 
a thought of God” He died in April 1920, leaving several notebooks of unpublished results. Mathe- 
Maticians have devoted many years of study to the explanation and justification of the results jotted 
down in Ramanujan’s notebooks. 


* 19, 
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Find all highly composite numbers of the form 273°, where a and b are nonnegative integers. 


Let o,(n) denote the sum of the kth powers of the divisors of n, so that o,(n) = )> al d*. Note 
that o,(n) =a(n). 


20. 
21. 
22. 
23. 
24. 


* 25. 
* 26. 
27. 


28. 


29. 
30. 


. Show that eae t(fjy=2>-% 


35. 


36. 
. Find the determinant of the n x n matrix with (i, 7) th entry equal to (i, 7). 

. Let n be a positive integer such that 24 | (n + 1). Show that o (1) is divisible by 24. 
39. 


40. 


Find 03(4), 03(6), and 03(12). 

Give a formula for o,(p), where p is prime. 

Give a formula for o;,(p*), where p is prime and a is a positive integer. 

Show that the function o;, is multiplicative. 

Using Exercises 22 and 23, find a formula for o,(n), where n has prime-power factorization 
m= Py Py! °° Ppl 

Find all positive integers n such that @(n) + o(n) = 2n. 

Show that no two positive integers have the same product of divisors. 

Show that the number of ordered pairs of positive integers with least common multiple equal 
to the positive integer 7 is T (n?). 


Let n be a positive integer, n > 2. Define the sequence of integers n1, 1, n3,...byn, = t(n) 
and ny4,=T(n,) for k = 1, 2,3, .... Show that there is a positive integer r such that 
2= Ny =, 41 =Np4Q=..-- 


Show that a positive integer n is composite if and only if o(n) >n + Jn. 


Let n be a positive integer. Show that t(2” — 1) > t(n). 


Waltn /j|—LJ/nf whenever n is a positive integer. Then use 
this formula to find i t(j). 


. Leta and b be positive integers. Show that o (a)/a < o(ab)/ (ab) < a(a)a(b)/(ab). 
. Show that if a and b are positive integers, then o (a)o(b) = >> d\(a,b) 27 (ab/d?). 


2 
. Show that if 7 is a positive integer, then (x d\n (a) = din t(d)?. 


Show that if n is a positive integer, then t(n”) = )~ “ils 2°) where w(n) equals the number 
of prime divisors of n. 


Show that >> an no (d)/d = )° 4), dt (d) whenever n is a positive integer. 


Show that there are infinitely many pairs of positive integers m, n such that d(m) =o(n), 
if there are infinitely many pairs of twin primes or infinitely many Mersenne primes (that is, 
primes of the form 2? — 1, where p is prime). 


Prove that }> din ¢(d) =n (Theorem 7.7) as a consequence of Theorem 7.8. 


Computations and Explorations 


1. 


Find t(n), o(n), and o2(n) (as defined in the preamble to Exercise 20) for each of the 
following values of n. 


a) 121,110,987,654 b) 11,111,111,111 C) 98,989,898,989 
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. Find as many pairs, triples, and quadruples as you can of consecutive integers, each with the 
same number of positive divisors. 


. Determine the number of iterations required for the sequence n, = T(n), 
Nz =T(Ny), ~~.» Nyy =T(nx), . . . to reach the integer 2, for all positive integers n not 
exceeding 1000. Formulate some conjectures based on your evidence. 


. Find all the highly composite integers (as defined in the preamble to Exercise 15) not 
exceeding 10,000. 


. Show that 29,331,862,500 is a highly composite integer. 


Programming Projects 


N 


=> 


. Given a positive integer n, find t(n), the number of positive divisors of n. 
. Given a positive integer n, find a(n), the sum of the positive divisors of n. 


. Given a positive integer n and a positive integer k, find o,(n), the sum of the kth powers of 
the positive divisors of n. 


. Given a positive integer n, find the integer r defined in Exercise 28. 


. Given a positive integer n, determine whether n is highly composite. 


7.3 Perfect Numbers and Mersenne Primes 


Because of certain mystical beliefs, the ancient Greeks were interested in those integers 
that are equal to the sum of all their proper positive divisors. Such integers are called 
perfect numbers. 


Definition. If n is a positive integer and o (n) = 2n, then n is called a perfect number. 


Example 7.10. Because 0 (6) = 1+ 2+3+6= 12, we see that 6 is perfect. We also 
note that 0 (28) =1+2+4+7+ 14+ 28 = 56, so that 28 is another perfect number. 
< 


The ancient Greeks knew how to find all even perfect numbers. The following 
theorem tells us which even positive integers are perfect. 
Theorem 7.10. The positive integer n is an even perfect number if and only if 
n=2-l(Q™ _ 4), 
where m is an integer such that m > 2 and 2” — 1 is prime. 


Proof. First, we show that if n = gm—legm _ 1), where 2” — 1 is prime, then n is 
perfect. We note that because 2” — 1 is odd, we have (2m—-1 29m _ 1) = 1. Because o 
is a multiplicative function, we see that 


a(n) =0(2"—)o(2™ — 1). 
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Lemma 7.1 tells us thato (2"~!) = 2” — lando(2” — 1) = 2", because we are assuming 
that 2” — 1 is prime. Consequently, 


a(n) = (2” — 1)2™ = 2n, 
demonstrating that n is a perfect number. 


To show that the converse is true, let n be an even perfect number. Write n = 2°, 
where s and ¢ are positive integers and t is odd. Because (2°, t) = 1, we see from Lemma 
7.1 that 


(7.1) a(n) =0(25t) = 0 (2)a(t) = (25+! — Not). 


Because n is perfect, we have 
(7.2) a(n) =2n = 25*'4. 
Combining (7.1) and (7.2) shows that 
(7.3) (25+! — po (t) = 25th. 


Because (25+!, 25+! — 1) = 1, from Lemma 3.4 we see that 2°+! | o(t). Therefore, there 
is an integer q such that o(t) = 2°t!q. Inserting this expression for o (t) into (7.3) tells 
us that 


(25t1 _ yastly = 28tly 
and, therefore, 
(7.4) (25+1_ })g =t. 
Hence, q |t andg #t. 
When we add g to both sides of (7.4), we find that 
(7.5) t+q=(2t!— 1q+q=25+1¢ =0(t). 


We will show that gq = 1. Note that if g £ 1, then there are at least three distinct positive 
divisors of t, namely, 1, g, and t. This implies that o(t) > t + q + 1, which contradicts 
(7.5). Hence, g = 1 and, from (7.4), we conclude that t = 25+! — 1. Also, from (7.5), we 
see that o(t) = t + 1, so that t must be prime, because its only positive divisors are 1 and 
t. Therefore, n = 2°(2°+! — 1), where 2°+! — 1 is prime. = 


By Theorem 7.10, we see that to find even perfect numbers, we must find primes of 
the form 2” — 1. In our search for primes of this form, we first show that the exponent 
m must be prime. 


Theorem 7.11. If m is a positive integer and 2” — 1 is prime, then m must be prime. 


Proof. Assume that m is not prime, so that m = ab, where 1 <a <mand1<b<~m. 
(Note that m > 1, since 2” — 1 is prime.) Then 


Qm -_ 1= gab — l= (2° — 1(222-) + qa(b—2) + nae + 92 + 1). 
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Because both factors on the right side of the equation are greater than 1, we see that 
2™ — lis composite if m is not prime. Therefore, if 2” — 1 is prime, then m must also 
be prime. a 


By Theorem 7.11, we see that to search for primes of the form 2” — 1, we need to 
consider only integers m that are prime. Integers of the form 2” — 1 have been studied 
in great depth; these integers are named after a French monk of the seventeenth century, 
Marin Mersenne, who studied them. 


Definition. If m is a positive integer, then M,, = 2” — 1 is called the mth Mersenne 
number; if p is prime and M, = 2” — 1 is also prime, then M,, is called a Mersenne 
prime. 


Example 7.11. The Mersenne number M7 = 2’ — 1 is prime, whereas the Mersenne 
number M,, = 2!! — 1= 2047 = 23 - 89 is composite. < 


It is possible to prove various theorems that help decide whether Mersenne numbers 
are prime. One such theorem will now be given. Related results are found in Exercises 
37-39 in Section 11.1. 


Theorem 7.12. If p is an odd prime, then any divisor of the Mersenne number M, = 
2? — 1is of the form 2kp + 1, where k is a positive integer. 


Proof. Letq bea prime dividing M, = 2? — 1. By Fermat’s little theorem, we know 
that g | (27-1 — 1). Also, from Lemma 4.3, we know that 


(7.6) (2? — 1, 29-1 1) = 2@9-) _ 1, 


Because q is a common divisor of 2? — 1 and 27-1 _ 1, we know that (2? — 1, 27-1 — 
1) > 1. Hence, (p, qg — 1) = p, becausethe only other possibility, namely, (p, g — 1) = 1, 


to Paris in 1619, where his cell in the Minims de I’ Annociade was a meeting place for scientists, 
philosophers, and mathematicians, including Fermat and Pascal. Mersenne corresponded extensively 
with scholars throughout Europe, serving as a clearinghouse for new ideas. Mersenne wrote books 
on mechanics, mathematical physics, mathematics, music, and acoustics. He studied prime numbers 
and tried unsuccessfully to develop a formula representing all primes. In 1644, he claimed to have the 
complete list of primes p with p < 257 for which 2? — 1 is prime; this claim was far from accurate. 
Mersenne is also noted for his defense of two of the most famous men of his time, Descartes and 
Galileo, from religious critics. He also helped expose alchemists and astrologers as frauds. 


MARIN MERSENNE (1588-1648) was born in Maine, France, into a family 
of worlers. He attended the College of Mans and the Jesuit College at La 
Fléche. He continued his education at the Sorbonne, studying theology. He 
joined the order of the Minims in 1611, a group whose name comes from 
the word minimi indicating that the members considered themselves the least 
religious order. Besides prayer, members pursued scholarship and study. In 
i 1612, Mersenne became a priest at the Palace Royale in Paris; between 1614 
- and 1618, he taught philosophy at the Minim Convent in Nevers. He returned 
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would imply from (7.6) that (2? — 1, 2%-!— 1) = 1. Hence p| (q — 1) and, therefore, 
there is a positive integer m such that q — 1 = mp. Because gq is odd, we see that m must 
be even, so that m = 2k, where k is a positive integer. Hence, gq = mp + 1=2kp + 1. 
Because any divisor of M,, is a product of prime divisors of M,, each prime divisor of 
M p is of the form 2kp + 1, and the product of numbers of this form is also of this form, 
the result follows. a 


We can use Theorem 7.12 to help decide whether Mersenne numbers are prime. We 
illustrate this by the following examples. 


Example 7.12. To decide whether M3 = 23 — 1 = 8191 is prime, we need only look 
for a prime factor not exceeding «8191 = 90.504. ... Furthermore, by Theorem 7.12, 
any such prime divisor must be of the form 26k + 1. The only candidates for primes 
dividing M;3 less than or equal to VM13 are 53 and 79. Trial division easily rules out 
these cases, so that M)3 is prime. 4 


Example 7.13. To decide whether M3 = 27° — 1 = 8,388,607 is prime, we only 
need to determine whether Mo; is divisible by a prime less than or equal to ,/Mz4 = 
2896.309 ... of the form 46k + 1. The first prime of this form is 47. A trial division 
shows that 8,388,607 = 47 - 178,481, so that M>3 is composite. < 


Because there are special primality tests for Mersenne numbers, it has been possible 
to determine whether extremely large Mersenne numbers are prime. 


A particularly useful primality test follows, known as the Lucas-Lehmer test after 

C) Edouard Lucas, who developed the theory the test is based on in the 1870s, and Derrick 
H. Lehmer , who developed a simplified version of the test in 1930. (A version of this test 

that uses elliptic curves, introduced in Chapter 13, was recently developed by Benedict 
Gross.) This test has been used to find the largest known Mersenne primes and is being 

used today in the ongoing search for new Mersenne primes, described later in this section. 

For most of recent history, the largest known Mersenne prime was the largest known 
prime, as is currently the case. However, from late 1990 until early 1992, the largest 


FRANCOIS-EDOUARD-ANATOLE LUCAS (1842-1891) was bom in 
Amiens, France, and was educated at the Ecole Normale. After finishing his 
studies, he worked as an assistant at the Paris Observatory, and during the 
Franco-Prussian war he served as an artillery officer. After the war he became 
a teacher at a secondary school. He was considered to be an excellent and en- 
tertaining teacher. Lucas was extremely fond of calculating and devised plans 
for a computer, which unfortunately were never cealized. Besides his contribu- 
tions to number theory, Lucas is also remembered for his work in recreational 
mathematics. The most famous of his contributions in this area is the well-known Tower of Hanoi 
problem. A freak accident led to Lucas’s death. He was gashed in the cheek by a piece of a plate that 
was accidentally dropped at a banquet. An infection in the resulting wound lalled him several days 
later. 
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known prime was 391,581 - 216,193 _ 1 Because this number is of the form k - 2" — 1, 
it was possible to use special tests to show that it is prime. 


Theorem 7.13. The Lucas-Lehmer Test.. Let p be a prime and let M, =2? — 1 
denote the pth Mersenne number. Define a sequence of integers recursively by setting 
r, =4 and, for k > 2, 


rt =r}, — 2 (mod M,); 0< rr < Mp. 


Then M, is prime if and only if r,_, =0 (mod M,). 


The proof of the Lucas-Lehmer test may be found in [Le80] and [Si64]. We give an 
example to illustrate how the Lucas-Lehmer test is used. 


Example 7.14. Consider the Mersenne number Ms = 2° — 1= 31. Then 7, = 4, 72 = 
42 — 2= 14 (mod 31), rz = 142 -2 = 8 (mod 31), and r, = 82 — 2=0(mod 3}). 
Because r4, = 0 (mod 31), we conclude that M; = 31 is prime. < 


The Lucas-Lehmer test can be performed quite rapidly, as the following corollary 
states. It lets us test whether Mersenne numbers are prime without factoring them and 
makes it possible to determine whether extremely large Mersenne numbers are prime, 
whereas other numbers of similar size that are not of special form are beyond testing. 


Corollary 7.13.2. Let p be prime and let M, = 2? — 1 denote the pth Mersenne 
number. It is possible to determine whether M, is prime using O( p°) bit operations. 


Proof. To determine whether M, is prime using the Lucas-Lehmer test requires p — 1 
squarings modulo M p each requiring O((log M ”) = O(p”) bit operations. Hence, the 
Lucas-Lehmer test requires O(p*) bit operations. 7 

It has been conjectured but not proved that there are infinitely many Mersenne 


primes. However, the search for larger and larger Mersenne primes has been quite 
successful. 


some with his pe who was also a mathematician. Lehmer was the thesis advisor of Harold Stark, 
who in turn was the thesis advisor of the author of this book. 


DERRICK H. LEHMER (1905-1991) was born in Berkeley, Califomia. He 
received his undergraduate degree in 1927 from the University of Califomia and 
his master’s and doctorate degrees from Brown University in 1929 and 1930, 
respectively. He served on the staffs of the California Institute of Technology, 
the Institute for Advanced Study, Lehigh University, and Cambridge University 
before joining the mathematics department at the University of California, 
Berkeley, in 1940. Lehmer made many contributions to number theory. He 
invented many special purpose devices for number theoretic computations, 
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The Search for Mersenne Primes 


The history of the search for Mersenne primes can be divided into three eras. The first 
began in ancient mes and ran until the advent of computers in the 1950s. Before the 
1950s, only 12 Mersenne primes were known, with the largest of these 12 found in 1876. 
Once computers were available, many new Mersenne primes were found, including five 
new ones discovered in just one year, 1952. A total of 22 Mersenne primes were found 
on stand-alone computers from 1952 until 1996, with the largest of these found on the 
most powerful supercomputers of their day. The second era ran until the widespread 
use of the Internet, when the third era began. So far (early 2010), a total of 13 new 
Mersenne primes have been discovered using a distributed computer network enabled 
by the Internet, bringing the current total to 47 known Mersenne primes. We now briefly 
describe some details about the quest for Mersenne primes in each of these three tame 
periods. 


The Precomputer Era In precomputer days, the search was littered with errors and 
unsubstantiated claims, many turning out to be false. By 1588, Piewo Cataldi had verified 
that M;7 and Mj9 were primes, but he also stated, without any justification, that M,, was 
prime for p = 23, 29, 31, and 37 (of these, only M3, is prime). In his Cogitata Physica- 
Mathematica, published in 1644, Mersenne claimed (without providing a justification) 
that M, is prime for p = 2, 3, 5, 7, 13, 17, 19, 31, 67, 127, and 257, and for no other 
prime p with p < 257. In 1772, Euler showed that M3, was prime, using trial division by 
all primes up to 46,337, which is the largest prime not exceeding the square root of M3}. 
In 1811, the English mathematician Peter Barlow wrote in his Theory of Numbers that 
M3, would be the greatest Mersenne prime ever found—he thought that no one would 
ever attempt to find a larger Mersenne prime because they are “merely curious, without 
being useful.” This turned out to be a terrible prediction; not only was Barlow wrong 
about people finding new Mersenne primes, but he was wrong about their utility, as our 
subsequent comments will show. 


In 1876, Lucas used the test that he had developed to show that Mg7 was compos- 
ite without finding a factorization; it took an additional 27 years for M¢7 to be factored. 
The American mathematician Frank Cole devoted 20 years of Sunday-afternoon compu- 
tations to discover that Mg7 = 193,707,721 - 761,838,257,287. When he presented this 
result at a meeting of the American Mathematical Society in 1903, writing the factoriza- 
tion on a blackboard and not saying a word, the audience gave him a standing ovation, as 
they understood how much work had been required to find this factorization. The num- 
bers Me), Mgo, Mi97, and Mj97 were shown to be prime between 1876 and 1914. But 
it was not until 1947 that the primality of M, for all primes p not exceeding 257 was 
tested, with the help of mechanical calculating machines. When this work was done, it 
was seen that Mersenne had made exactly five mistakes. He was wrong when he stated 
that M¢7 and M>57 are primes, and he failed to include the Mersenne primes M¢1, Mgo, 
and M97 in his list. 


The Computer Era_ As we have seen, only 12 Mersenne primes were known before 
the advent of modern computers, the last of which was discovered in 1914. But since 
the invention of computers, new Mersenne primes have been found at a fairly steady 


262 


Multiplicative Functions 


rate, averaging about one new Mersenne prime every two years since 1950. The first 
five Mersenne primes found with the help of a computer were the 13th through the 17th 
Mersenne primes. All five were found in 1952 by Raphael Robinson, using SWAC (the 
National Bureau of Standards Western Automatic Computer) with the help of D. H. and 
Emma Lehmer. The 13th and 14th Mersenne primes were found the first day SWAC was 
used to run the Lucas-Lehmer test, and the other three were found in the following nine 
months. Compared to computers today, SWAC was primitive. Its total memory was 1152 
bytes, and half of this was used for the commands that ran the program. It is interesting to 
note that Robinson’s program to implement the Lucas-Lehmer test was the first program 
he ever wrote. 


Riesel found the 18th Mersenne prime using the Swedish BESK computer, Hurwitz 
found the 19th and 20th Mersenne primes using the IBM 7090, and Gillies found the 
21st, 22nd, and 23rd Mersenne primes using the ILLIAC 2. Tuckerman found the 24th 
Mersenne prime using the IBM 360. 


The 25th and 26th Mersenne primes were found by high school students Laura 
Nickel and Landon Noll using idle time on the Cyber 174 computer at California 
State University, Hayward. Nickel and Noll, who were 18 years old at the time, were 
also studying number theory with D. H. Lehmer and CSU professor Dan Jurca. Their 
discoveries were announced on the nightly news shows of major networks around the 
world. Nickel and Noll discovered the 25th Mersenne prime together, while only Noll 
went on to discover the 26th Mersenne prime by himself. 


David Slowinski, working with several different collaborators, discovered the nth 
Mersenne prime for n = 27, 28, 30, 31, 32, 33, and 34 between 1979 and 1996. For 
example, Slowinski and Gage found the Mersenne prime Mj, 257,7g7, a number with 
378,632 digits, in 1996. The proof that this number is prime took approximately six 
hours on a Cray supercomputer. The Mersenne prime that Slowinski missed, the 29th, 
was found by Colquitt and Welsh in 1988 using a NEC SX-2 computer. You may wonder 
how Slowinska overlooked this prime. The reason is that he did not check whether M, 
is prime for consecutive primes, but instead jumped around following hunches about the 
distribution of Mersenne primes, just as many researchers have done. 


The Great Internet Prime Search The Internet has become a key factor accelerating 
the discovery of Mersenne primes. Many people are cooperating to find new Mersenne 
primes as part of the Great Internet Mersenne Prime Search (GIMPS), founded by George 
Woltman in 1996. Approximately 40 Teraflops (40 trillion (10!) floating-point opera- 
tions per second) are devoted to GIMPS on PrimeNet, the network linking the distributed 
computers in GIMPS into one virtual supercomputer. This virtual supercomputer is one 
of the most powerful computers in the world, even though most of the individual com- 
puters used are Pentium PCs. 


The 13 largest Mersenne primes known were all found as part of the GIMPS project. 
The first two of these, Mj 39g 269 and Mp 976.22), were discovered to be prime in 1996 
and 1997, respectively. The Mersenne prime M2 976,22 was shown to be prime using a 
100 MHz Pentium PC using about 15 days of CPU time. In 1998, M3 991,377, a number 
with 909,526 decimal digits, was found to be prime. The lucky person who made this 


7.3 Perfect Numbers and Mersenne Primes 263 


Decimal Digits Year 
No. D in M, Discovered Discoverer 
1 2 1 ancient times 
2 3 1 ancient times 
3 5 2 ancient times 
4 7 3 ancient times 
5 13 4 1456 anonymous 
6 17 6 1588 Cataldi 
7 19 6 1588 Cataldi 
8 31 10 1772 Euler 
9 61 19 1883 Pervushin 
10 89 27 1911 Powers 
11 107 33 1914 Powers 
12 127 39 1876 Lucas 


Table 7.3 Mersenne primes known before computers. 


discovery, Roland Clarkson, was a 19-year-old student at California State University, 
Dominguez Hills. He used a 200 MHz Pentium computer, taking the equivalent of 
about a week of full-time CPU processing, to find this prime. The Mersenne M¢ 979 593; 
a number with 2,098,960 decimal digits, was found in 1999 by Nayan Hajratwala, a 
GIMPS participant, using a 350 MHz Penttum computer, using the equivalent of about 
three weeks of uninterrupted processing. 


The Mersenne prime M)3 466,917, an integer with 4,053,946 decimal digits, was 
found in 2001 by a 20-year-old Canadian university student, Michael Cameron. It took 42 
days on an 800 MHz AMD personal computer to show that this number is prime. The next 
largest Mersenne prime is My 996,011, an integer with 6,320,430 decimal digits, which 
was shown to be prime in 2003 by Michael Shafer, a 26-year-old chemical engineering 
graduate student at Michigan State University. He used a 2.4 GHz Pentium 4 personal 
computer running for 19 days to make this discovery. The Mersenne prime M4, 036,583: 
an integer with 7,253,733 decimal digits, was shown to be prime in 2004 by Josh Findley. 
He used a 2.4 GHz Pentium 4 PC running for 14 days to prove this. The Mersenne prime 
M)5 964,951, an integer with 7,816,230 decimal digits, was discovered in February 2005 
by Martin Nowak, a German eye surgeon using a 2.4 GHz Pentium 4 PC running for 
more than 50 days. The Mersenne prime M39 409 457, an integer with 9,152,052 decimal 
digits, was shown to be prime in December 2005 by a collaborative effort at Central 
Missouri State University (CMSU) lead by Curtis Cooper and Steven Boone. They ran 
GIMPS software on about 700 campus lab PCs. They found this Mersenne prime on 
a computer in the Department of Communication lab running on and off for around 50 
days. Less than a year later, in September 2006, this same team discovered the Mersenne 
prime M3) 597 657, an integer with 9,808,358 decimal digits, using a computer in the 
same lab and just a few computers away from the computer that produced their earlier 
discovery. 
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Decimal Digits Year 
D in M, Discovered | Discoverer(s) Computer Used 
521 157 1952 Robinson SWAC 
607 183 1952 Robinson SWAC 
1279 386 1952 Robinson SWAC 
2203 664 1952 Robinson SWAC 
2281 687 1952 Robinson SWAC 
3217 969 1957 Riesel BESK 
4253 1281 1961 Hurwitz IBM 7090 
4423 1332 1961 Hurwitz IBM 7090 
9689 2917 1963 Gillies ILLIAC 2 
9941 2993 1963 Gillies ILLIAC 2 
11,213 3376 1963 Gillies ILLIAC 2 
19,937 6002 1971 Tuckerman IBM 360/91 
21,701 6533 1978 Noll, Nickel Cyber 174 
23,209 6987 1979 Noll Cyber 174 
44,497 13,395 1979 Nelson, Slowinski Cray 1 
86,243 25,962 1983 Slowinski Cray 1 
110,503 33,265 1988 Colquitt, Welsh NEC SX-2 
132,049 39,751 1983 Slowinski Cray X-MP 
216,091 65,050 1985 Slowinski Cray X-MP 
756,839 227,832 1992 Slowinski, Gage Cray 2 
859,433 258,716 1994 Slowinski, Gage Cray 2 
1,257,787 378,632 1996 Slowinski, Gage Cray T94 


Table 7.4 Mersenne primes found using computers but not the Internet. 


Two years after the discoveries at CMSU, GIMPS announced the discovery of 
two more Mersenne primes. The larger, the Mersenne prime M43 112,699, 4 number 
with 12,978,189 decimal digits, was discovered first. It was found in August 2008 by 
Edson Smith, a computing manager for the Mathematics Department at UCLA, on a 
2.4 GHz Windows XP computer, one of 75 computers running GIMPS software in a 
computer lab. The smaller of these two Mersenne primes, M37 156,667, discovered in 
September 2008, has 11,185,272 decimal digits. It was found by Hans-Michael Elvenich, 
an elecwical engineer who works for a chemical company. In April 2009, the Mersenne 
prime M4p 643,301, 2 number with 12,837,064 decimal digits, was found by Odd M. 
Stridmo, a Norwegian IT professional. This Mersenne prime was disovered on a 3.0 
GHz PC; the computer actually discovered the new prime in April 2009, but no person 
noticed this for almost three months! The reader should also note that not all Mersenne 
numbers with exponents between 21,000,000 and 43,112,609 have been tested, so that 
there may be one or more undiscovered Mersenne primes in this range. 


The search for new Mersenne primes continues full blast, with approximately 70,000 
people looking for new ones by running GIMPS software on more than a quarter million 
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Decimal Digits Year 
No. Pp in M, Discovered Discoverer(s) 
35 1,398,269 420,921 1996 Armendgaud 
36 2,976,221 895,952 1997 Spence 
37 3,021,377 909,526 1998 Clarkson 
38 6,972,593 2,098,960 1999 Hajratwala 
39 13,466,917 4,053,946 2001 Cameron 
40 20,996,011 6,320,430 2003 Shafer 
41 24,036,583 7,253,733 2004 Findley 
42 25,964,951 7,816,230 2005 Nowak 
43 30,402,457 9,152,052 2005 Cooper, Boone 
44 32,582,657 9,808,358 2006 Cooper, Boone 
45 37,156,667 | 11,185,272 2008 Elvenich 
46 42,643,801 | 12,837,064 2009 Strindmo 
47 43,112,609 | 12,978,189 2008 Smith 


Table 7.5 Mersenne primes found GIMPS over PrimeNet. 


computers. GIMPS has been finding new Mersenne primes at what seems to be an 
increasingly rapid pace. The next few years will show whether GIMPS can keep up 
this pace up. (See Tables 7.3, 7.4, and 7.5 for lists of known Mersenne primes divided 
into the era in which they were found, along with information about their discovery.) 


Why do people look for Mersenne primes? Many people are devoted to the quest for 
new Mersenne primes. Why do they spend so much time and energy on this task? There 


A Prime Jackpot 

When Nayan Hajratwala found the Mersenne prime 2°9725%3 — 1, he was the first person 
to find a prime with more than one million decimal digits. This made him eligible for a 
prize of $50,000 from the Electronic Frontier Foundation (EFF), an organization devoted to 
protecting the health and growth of the Internet. Moreover, the discovery of the Mersenne 
prime M43 112,609 qualified for a prize of $100,000 from the EFF because it was the first 
prime found with more than ten million decimal digits. Of this prize money, $50,000 went 
to the UCLA Mathematics Department, $25,000 went to charity, and $25,000 was split up 
with some going to the discoverers of the previous six Mersenne primes found and the rest 
to the GIMPS organization. 

You still have a chance to collect a prize from the EFF by finding large primes. They 
offer prizes of $150,000 and $250,000 for the first discovery of a prime with 100 million 
and 1 billion decimal digits, respectively. An anonymous donor has funded these prizes to 
spur cooperative work on scientific problems that involve massive computation. You still 
will receive a cash prize if you find a new Mersenne prime with fewer than 100 million 
decimal digits; GIMPS will award $3,000 for the discovery of each such prime. 
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are many reasons. The discovery of a new Mersenne prime brings fame and notoriety. 
Some people may be motivated by the recent cash prizes being offered for finding new 
Mersenne primes; other people like to contribute to team efforts. By joining GIMPS 
and PrimeNet, anyone can begin malaing useful contributions to the search for new 
Mersenne primes. The quest for new Mersenne primes has sparked the development of 
new theoretical results, and this has motivated many people; others are interested in the 
distribution of primes and want evidence to use as the basis for conjectures. Many people 
have used software for the Lucas-Lehmer test to check out new hardware platforms, as 
these programs are CPU and computer bus intensive. For example, the Intel Pentium II 
chip was tested using GIMPS software. Some people would rather have their computer 
look for Mersenne primes during idle time than mn a screen-saver. For these and other 
reasons, many people look for Mersenne primes. 


If you catch the bug and become interested in the search for Mersenne primes, you 
should investigate the GIMPS Web site, as well as several other relevant Web sites (links 
for these can be found in Appendix D and on the Web site for this book). At the GIMPS 
site, you can obtain a program for running the Lucas-Lehmer test, and learn how to join 
PrimeNet. The GIMPS program for running the Lucas-Lehmer test has been optimized 
in many ways, so that it runs much more efficiently than a naive implementation of the 
test. You can reserve a particular range of exponents to check. If history is a guide, it 
should not be too much longer before the world’s record for Mersenne (and all) primes 
is smashed. If you join GIMPS, you may be the lucky one to break this record! 


Odd Perfect Numbers 


We have reduced the study of even perfect numbers to the study of Mersenne primes. But 
are there odd perfect numbers? The answer is still unknown. It is possible to demonstrate 
that if they exist, odd perfect numbers must satisfy numerous conditions (see Exercises 
32-36, for example). Much of the work establishing various constraints on odd perfect 
numbers originated with the work of the great English mathematician James Joseph 
Sylvester. In 1888, he stated that the existence of an odd perfect with “its escape from the 
complex web of conditions which hem it in on all sides would be little short of a miracle.” 
Today, this statement appears to be even more on the mark. As of early 2010, we know 
that there are no odd perfect numbers less than 10°, an odd perfect number must have at 
least nine different prime divisors and at least 75 prime divisors counting multiplicities, 
the largest prime factor of the number must be at least 108, the largest exponent in the 
prime-power factorization must be at least 4, the largest prime power must be at least 
102°, as well as many other constraints. A discussion of odd perfect numbers may be 
found in [Gu94] or [Ri96], and information about some of the constraints may be found 
in [BrCote93], [Co87], [GoOh08], and [Ha83]. 


7.3 EXERCISES 


1. Find the six smallest even perfect numbers. 
2. Find the seventh and eighth even perfect numbers. 
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3. Find a factor of each of the following integers. 
a) 2151 b) 29! —1 c) 21001 _ } 


4. Find a factor of each of the following integers. 
a) gill =| b) 9289 ae | c) 746,189 | 


If n is a positive integer, we say that n is deficient if o (n) < 2n, and we say that n is abundant if 
a(n) > 2n. Every integer is either deficient, perfect, or abundant. 


5. Find the six smallest abundant positive integers. 
. Find the smallest odd abundant positive integer. 


6 

7. Show that every prime power is deficient. 

8. Show that any proper divisor of a deficient or perfect number is deficient. 
9 


. Show that any multiple of an abundant or perfect number, other than the perfect number itself, 
is abundant. 


10. Show that if n = 2"—1(2™ — 1), where m is a positive integer such that 2” — 1 is composite, 
then 7 is abundant. 


11. Show that there are infinitely many deficient numbers. 

12. Show that there are infinitely many even abundant numbers. 

13. Show that there are infinitely many odd abundant numbers. 

14. Show that ifn = p%q®, where p and q are distinct odd primesand a and b are positive integers, 
then 7 is deficient. 

© Two positive integers m and n are called an amicable pair if o(m) =a (n) =m +n. 

15. Show that each of the following pairs of integers are amicable pairs. 

a) 220, 284 b) 1184, 1210 c) 79750, 88730 


16. a) Show that if n is a positive integer with n > 2, such that 3- 2n-1_ 1.3.2" — 1, and 
3? . 22n-1 _ 1 are all prime, then 2"(3 - 2"-! — 1)(3- 2" — 1) and 2"(32 - 22"-1 _ 1) form 
an amicable pair. 

b) Find three amicable pairs using part (a). 


An integer 7 is called k-perfect if o (n) = kn. Note that a perfect number is 2-perfect. 
17. Show that 120 = 23 . 3 - 5 is 3-perfect. 

18. Show that 30,240 = 2° . 33.5 - 7 is 4-perfect. 

19. Show that 14,182,439,040 = 27. 34.5-7-112-17- 19 is 5-perfect. 

20. Find all 3-perfect numbers of the form n = 2* .3 - p, where p is an odd prime. 
21. Show that if n is 3-perfect and 3 J n, then 3n is 4-perfect. 


An integer n is k-abundant if o(n) > (k + 1)n. 
22. Find a 3-abundant integer. 
23. Find a 4-abundant integer. 


** 24, Show that for each positive integer k there are an infinite number of k-abundant integers. 
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A positive integer n is called superperfect if a (a (n)) = 2n. 

25. Show that 16 is superperfect. 

26. Show that if n = 27, where 27+! — 1 is prime, then n is superperfect. 

27. Show that every even superperfect number is of the form n = 27, where 27+! — 1 is prime. 
28. Show that if n = p”, where p is an odd prime, then n is not superperfect. 


29. Use Theorem 7.12 to determine whether each of the following Mersenne numbers is prime. 
a) M7 b) My, c) My7 d) M29 

30. Use the Lucas-Lehmer test, Theorem 7.13, to determine whether each of the following 
Mersenne numbers is prime. 
a) M3 b) M7 c) My d) M13 


31. Show that if 7 is a positive integer and 2n + 1is prime, then either (2n + 1) | M,, or (2n + 1) | 
(M,, + 2). (Hint: Use Fermat’s little theorem to show that M,,(M,, + 2) =0 (mod 22 + 1).) 


32. a) Show that if n is an odd perfect number, then n = p*m?, where p is an odd prime, 
p =a=1 (mod 4), and m is an integer. 
b) Use part (a) to show that if 1 is an odd perfect number, then n = 1 (mod 4). 


33. Show that if n = p2m? is an odd perfect number, where p is prime, then n = p (mod 8). 
34. Show that if 1 is an odd perfect number, then 3, 5, and 7 are not all divisors of n. 

35. Show that if 1 is an odd perfect number, then n has at least three different prime divisors. 
36. Show that if 1 is an odd perfect number, then n has at least four different prime divisors. 


37. Find all positive integers n such that the product of all divisors of n other than n is exactly 
n”. (These integers are multiplicative analogues of perfect numbers.) 


38. Let n be a positive integer. Define the aliquot sequence n,, nz, n3,..., recursively by 
ny =a (n) —nandn,z4,=a(n,) — ny, fork = 1, 2, 3, .... (The word aliquot is an adjective 
that means “contained an exact number of times in something else.” Archaically, the aliquot 
parts of an integer were the divisors of this integer.) 

a) Show that if n is perfect, thenn =n; =n2z=n3=---. 

b) Show that if m and m are an amicable pair, then n,; = m,n, =n,n3=m,ng=n,... and 
so on; that is, the sequence 71, nN, 13, . . . is periodic with period 2. 

c) Find the aliquot sequence of integers generated if n = 12,496 = 24 - 11-71. 


Before computers were used to examine the behavior of aliquot sequences, it was conjectured 
that for all integers n the aliquot sequence of integers n,, nz, n3, ... is bounded. However, 
evidence obtained from calculations with large integers suggests that some of these sequences 
are unbounded. 


39. Show that if n is a positive integer greater than 1, then the Mersenne number M,, cannot be 
the power of a positive integer. 


40. A double Mersenne number is a Mersenne number of the form My_, where M,, is the nth 
Mersenne prime. 


a) Show that if the double Mersenne number My, is prime, then n is prime and M,, is prime. 
b) Find all prime double Mersenne numbers with n < 30 with the help of Table 7.3. 
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Computations and Explorations 


1. Verify by direct computation that 23°(23! — 1) is perfect. 


. Show that the number 154,345,556,085,770,649,600 is a 6-perfect number (as defined in the 


preamble to Exercise 17). 


. Show that each of the following pairs of integers is an amicable pair (as defined in the preamble 


to Exercise 15). 
a) 609928, 686072 c) 938304290, 1344480478 
b) 643336, 652664 d) 4000783984, 4001351168 


. Find factors of as many Mersenne numbers of the form M,, where p is prime, as you can, 


using Theorem 7.12. 


. Verify the primality of as many Mersenne primes as you can, using the Lucas-Lehmer test. 


(You may want to use GIMPS software to do this.) 


6. Join the GIMPS and search for Mersenne primes. 


7. Find all amicable pairs where both integers in the pair are less than 10,000. 


8. Show that the aliquot sequence (as defined in Exercise 38) obtained by taking n = 14,316 is 


periodic with period 28. 


. Find as many aliquot sequences as you can that are periodic with period 4. 
10. 


Find the number of terms in the aliquot sequence obtained by taking n = 138 before this 
sequence reaches the integer 1. What is the largest term of the sequence? Can you answer the 
same question for n = 276? 


Programming Projects 


1. 


Classify positive integers according to whether they are deficient, perfect, or abundant (see 
the preamble to Exercise 5). 


2. Use Theorem 7.12 to look for factors of Mersenne numbers. 


3. Determine whether the Mersenne number 2? — 1 is prime, where p is a prime, using the 


Lucas-Lehmer test. 


4. Given a positive integer n, determine if the aliquot sequence defined in Exercise 32 is periodic. 


7.4 


5. Given a positive integer n, find all amicable pairs of integers a, b, where a<n andb<n 


(see the preamble to Exercise 15). 


Mobius Inversion 


Let f be an arithmetic function. The formula F(n) = )' 4), f(d) expresses the values 
of F’, the summatory function of f, in terms of the values of f. Can this relationship be 
inverted? That is, is there a convenient way to express the values of f in terms of those 
of F? In this section, we will provide a useful formula that does this. We will start with 
some exploration, to help us see what kind of formula might exist. 
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Suppose that f is an arithmetic function and F is its summatory function F(n) = 
dain J (d). Expanding the definition of F(n) forn = 1, 2,..., 8, we see that 


F()) = f() 

F(2) = f() + f@) 

F(3) = f() + fG) 

F(4) =f) + f+ f) 

F(5) = f() + fG) 
F6)=f)+ f+ f+ f 
F() = f+ fM) 
F(8)=fH)+ f2+f4) + fQ), 


and so on. When we solve these equations successively for f(”), forn =1,2,..., 8, 
we find that 


f(@) = FQ) 

f (2) = F(2) — F() 

f (3) = FG) — FQ) 

f (4) = F(A) — F() 

f(S5) = FG) — F() 

f (6) = F(6) — FB) — FQ) + FY) 
f) = F() — F() 

f (8) = F(8) — F(@). 


Note that f(”) equals a sum of terms of the form +F'(n/d), where d | n. From this 
evidence, it might be fruitful to look for an identity of the form 


f) = >> u@F@/a), 
d\n 


where yw is an arithmetic function. If this identity holds, our computations imply that 
KA) = 1, w2) =—-1, wu) =-1, uA) =9, w(S) = —-1, w(6) = 1, u(7) = -1, and 
j2(8) = O. Furthermore, F(p) = f(1) + f(p), which implies that f(p) = F(p) — F()), 
whenever p is prime. This requires that “(p) = —1. Moreover, because 


F(p”) = f() + f(p) + f(p”), 


we have 
f(p?) = F(p’) — (F(p) — F()) — F() = F(p”) — F(p). 


This implies that .(p”) = 0 for every prime p. Similar reasoning can be used to show that 
(p*) = 0 for every prime p and integer k > 1. If we conjecture that yz is a multiplicative 
function, the values of jz are determined by those at prime powers. This leads to the 
following definition. 


Definition. The Médbius function, 1(n), is defined by 
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1 ifn=1 

L(n) = | (-1)” ifn=p,p2--- p,, where the p; are distinct primes; 
0 otherwise. 

() The Mobius function is named after August Ferdinand Mobius. 


From the definition, we see that jz(m) = O whenever 7 is divisible by the square of 
a prime. The only values of n for which (nm) #0 are those n that are square-free. 


Example 7.15. From the definition of (mn), we see that 4(1) = 1, u(2) = —1, n(3) = 
—1, w(4) = (2?) =0, u(5) = -1, nO) = (2-3) = 1, w(7) = -1, u8) = u(2) =0, 
(9) = (3%) = 0, and (10) = (2-5) = 1. < 


Example 7.16. We have (330) = n(2-3-5-11)=(-1*=1, (660) = 
(2? -3-5- 11) =0, and 4(4290) = w(2-3- 5-11-13) =(-1)5 = 1. < 


We now verify that the MGbius function is multiplicative, proceeding directly from 
its definition. 


Theorem 7.14. The Mobius function (7) is a multiplicative function. 


Proof. Suppose that m and 7 are relatively prime positive integers. To show that jz(7) is 
multiplicative requires that we show that (mn) = (m)u(n). To establish this equality, 
we first consider the case when m = 1 or n = 1. When m = 1, we see that both u (mn) 
and (mm) u(n) equal j.(”). The case for n = 1 is similar. 


Now suppose that at least one of m and 7 is divisible by a square of a prime. Then 
mun is also divisible by the square of a prime. Consequently, (mn) and (mm) p(n) are 
both equal to 0. Finally, consider the remaining case when both m and n are square- 
free integers greater than 1. Suppose that m = p,p2--- p,, where pj, pz, ..., Ps are 
distinct primes, and n = q1q2 - - -q;, where q1, q2, . . . , dz are distinct primes. Because 
m and n are relatively prime, no prime occurs in both of the prime factorizations of 


AUGUST FERDINAND MOBIUS (1790-1868) was born in the town of 
Schulpforta, near Naumburg, Germany. His father was a dancing teacher and 
his mother was a descendant of Martin Luther. Mobius was taught at home until 
he was 13, displaying an interest and talent in mathematics at a young age. He 
received formal training in mathematics from 1803 until 1809, when he entered 
Leipzig University. He intended to study law, but instead decided to coacentrate 
on subjects more to his interest—mathematics, physics, and astronomy. After 
pursuing further studies at Géttingen, where he studied astronomy with Gauss, 
and at ae where he studied mathematics with Pfaff, he became professor of astronomy at Leipzig, 
remaining there until his death. Mébius made contributions to a wide range of subjects, including 
astronomy, mechanics, projective geometry, optics, statics, and number theory. Today, he is best 
lanown for his discovery of a surface with one side, called the Mébius strip, which can be formed 
by taking a strip of paper and connecting two opposite ends after twisting it. 
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m and n. Consequently, mn is the product of s + ¢ distinct primes. It follows that 
(mn) = (—1)8* = (—1)8(—D! = un) e(n). 7 


We will now show that the summatory function of the Mébius function is a partic- 
ularly simple function. 


Theorem 7.15. The summatory function of the Mobius function at the integer n, 
F(n) = Deals (a), satisfies 


1 ifn=1; 
Ha ={ 9 ifn > 1. 


Proof. First consider the case when n = 1. We have 


F() = )) wd) = w() = 1. 


d|l 


Next, let n > 1. By Theorem 7.8, because jz is a multiplicative function, its summatory 
function F(n) = Dats jL(d) is also multiplicative. Now, suppose that p is prime and k 
is a positive integer. We see that 


F(p*) = 9) w@) = wl) + wp) + wp?) +--+ + w(p*) 
dipt§ = =1+(-1) +0+---+0=0 


because j4(p') = 0 whenever i > 2. Finally, suppose that n is a positive integer, n > 
1, with prime-power factorization n = p{!p,” --- p;'. Because F is multiplicative, it 
follows that F(n) = F (p;') F (p53?) -- - F(p;*). Because each of the factors on the right- 
hand side of this equation is 0, it follows that F(n) = 0. i 


The Mobius inversion formula provides an answer to the question posed at the 
beginning of this section. It provides a way to express the values of f in terms of values of 
its summatory function F’. This formula is used extensively in the study of multiplicative 
functions and can be used to establish new identities involving these functions. 


Theorem 7.16. The Mobius Inversion Formula. Suppose that f is an arithmetic 
function and that F is the summatory function of f, so that 


F(n)=)> f@) 


dln 


for every positive integer n. Then, for all positive integers n, 


f(n)= >> ud) F(n/d). 


dln 


Proof. The proof of this formula involves some manipulations of double sums. We 
proceed as follows, starting with the sum on the right-hand side of the formula, substi- 
tuting for F (n/d) the expression }~ el(n/a)  (e), which comes from the definition of the 
function F as the summatory function of f. We have 
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\- u(d)F(n/d) =D (ue oS ro) 


d\n d\n e|(n/d) 
=>( > nso) 
d\n \e|(n/d) 


Note that the pairs of integers (d, e) with d | n and e | (n/d) are the same as those with 
e|nandd | (n/e). It follows that 


>( PB orca =>( a roma) 


d\n \e|(n/d) eln \d\(n/e) 
-D(r 2 Mo). 
eln d|(n/e) 


Now we see by Theorem 7.15 that ) ain /e) H(d) = Ounlessn/e = 1. Whenn/e = 1, 
that is, when n = e, this sum equals 1. Consequently, 


D(re » Ho) = f(n)-1=f(). 


eln d|(n/e) 
This completes the proof. rT 


The Mobius inversion formula can be used to construct many new identities that 
would be difficult to prove in another manner, as the following example shows. 


Example 7.17. The functions o(m) and t(n) are the summatory functions of the 
functions f(n) =n and f(n) = 1, respectively, as noted in Section 7.2. That is, o(n) = 
yal ,dandt(n)=)>> ain 1. By the Mobius inversion formula, we can conclude that for 
all integers n, 


n= >) w(n/d)o(4) 


d|n 
and 
i= > w(n/d)t (a). 
d|n 
Proving these two identities directly would be difficult. < 


By Theorem 7.8, we know that if f is a multiplicative function, then so is its 
summary function, F(n) = )/q, f(d). Another useful consequence of the Mobius 
inversion formula is that we can turn this statement around. That is, if the summatory 
function F of an arithmetic function f is multiplicative, then so is f. 


Theorem 7.17. Let f be an arithmetic function with summatory function F = 
ss dint (d). Then, if F is multiplicative, f is also multiplicative. 
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Proof. Suppose that m and 7n are relatively prime positive integers. We want to show 
that f(mn) = f(m)f (n). To show this, first note that by Lemma 3.7, if d is a divisor 
of mn, then d = d,d> where d, | m, d | n, and (d,, d) = 1. Using the Mobius inversion 
formula and the fact that ~ and F are multiplicative, we see that 


f(mn) =) wa) F (=) 


d|mn 


mn 
— F{— 
> lL (djdy) ( FI 4 


d,|m, dz|n 


m n 
= F{—)F{— 
Y> w(dy) (dp) ( =) ( *) 


d,|m, dz|n 


m n 
= )0 u(d)F (=) Duds) F (+) 


d,|m d\n 


= f(m)f(n). = 


EXERCISES 


. Find the following values of the Mobius function. 


a) w(12) c) (30) e) (1001) g) #.(10!) 
b) w(15) d) (50) f) 4(2-3-5-7-11-13) 


. Find the following values of the Mobius function. 


a) K(33) c) (110) e) 4(999) g) #(101/(5!)”) 
b) 14(105) d) (740) f) u(3-7- 13-19-23) 


. Find the value of jz(n) for each integer n with 100 <n < 110. 
. Find the value of jz(n) for each integer n with 1000 < n < 1010. 
. Find all integers n, 1 <n < 100 with uw(n) = 1. 


Find all composite integers n, 100 < n < 200 with w(n) = —1. 


The Mertens function M (n) is defined by M(n) = )°}_, u(i). 


7. 
8. 
9. 


10. 
11. 


12. 


Find M (n) for all positive integers not exceeding 10. 
Find M (n) for n = 100. 


Show that M(n) is the difference between the number of square-free positive integers not 
exceeding n with an even number of prime divisors and those with an odd number of prime 
divisors. 

Show that if 7 is a positive integer, then (n)u(n + I)u(n + 2)u(n + 3) = 0. 

Prove or disprove that there are infinitely many positive integers n such that w(n) + 
(n+ 1) =0. 


Prove or disprove that there are infinitely many positive integers n such that w(n — 1) + 
u(n) + um + 1) =0. 
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13. For how many consecutive integers can the M6bius function jz(n) take a nonzero value? 
14. For how many consecutive integers can the M6bius function jz(”) take the value 0? 


15. Show that if n is a positive integer, then d(n) =n Dain LL(d)/d. (Hint: Use the Mobius 
inversion formula.) 


16. Use the Mobius inversion formula and the identity n = )°, ii ¢ (n/d), demonstrated in Section 
7.1, to show the following. 


a) o(p') = p’ — p'—!, whenever p is prime and t is a positive integer. 
b) (7) is multiplicative. 
17. Suppose that f is a multiplicative function with f (1) = 1. Show that 
> u(d) fd) = (1— f(pp))U— f(p2)) - + — f(x): 
d\n 
where n = p{!p,... p,* is the prime-power factorization of n. 
18. Use Exercise 17 to find a simple formula for }* a\n 24(d) for all positive integers n. 
19. Use Exercise 17 to find a simple formula for }* ain -(d)/d for all positive integers n. 
20. Use Exercise 17 to find a simple formula for >> d\n -(d)t (d) for all positive integers n. 
21. Use Exercise 17 to find a simple formula for }> d\n LL(d)a (d) for all positive integers n. 
22. Let n be a positive integer. Show that 
—1 ifnisaprime; 


I] p(d) = 0 ifn has a square factor; 
d\n 1 ifn is square-free and composite. 


23. Show that 
wa) = 2, 
d|n 
where w(n) denotes the number of distinct prime factors of n. 
24. Use Exercise 23 and the Mobius inversion formula to show that 


y(n) = D7 (dre, 
dln 


25. Show that Dodi pL(d)A(d) = 2°) for all positive integers n, where w(n) is the number of 
distinct prime factors of n. (See the preamble to Exercise 43 in Section 7.1 for a definition of 
A(n).) 

26. Show that >> din 4(n/d)2° (4) — ] for all positive integers n. 

Exercises 27—29 provide a proof of the Mébius inversion formula and Theorem 7.17 using the 


concepts of the Dirichlet product and the Dirichlet inverse, defined in the exercise set of Section 
idle 


27. Show that the M6bius function p(n) is the Dirichlet inverse of the function v(n) = 1. 


28. Use Exercise 38 in Section 7.1 and Exercise 27 to prove the MObius inversion formula. 
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29. Prove Theorem 7.17 by noting that if F = f * v, where v = 1 for all positive integers n, then 
f=Feu. 


The Mangoldt function A is defined for all positive integers n by 


A(n) = log p ifn = p*, where p is prime and k is a positive integer; 
0 otherwise. 


30. Show that }° din ‘\(d) = log n whenever n is a positive integer. 


31. Use the MObius inversion formula and Exercise 30 to show that 


A(n) =— 9 w(d) log d. 


d|n 


32. Find the error in this “proof” that all perfect numbers are even. “Proof”: If 7 is even, then 
2n = Yi ain 2- By Mobius inversion, n = )°4), 4(n/d)2d. Because all the terms in the last 
sum are even, it follows that n is even. 


A complex number w is a primitive nth root of unity if w” = 1, but o 41 when 1<k<n-—1. 
Because e?7! = 1, it is easy to see that the primitive nth roots of unity are the complex numbers 
¢/ where ¢ = e?7'/" for 1 < j <nand (j, n) = 1. The cyclotomic polynomial of order n, denoted 
by ®, (x), is the monic polynomial whose roots are the primitive nth roots of unity. That is, 
O(n) =|] isisn (x —¢/4), 


33. a) Show that x” —1=[],), ®g(x) whenever n is a positive integer. 
b) Find ® (x) if p is prime. 
c) Find ®),,(x) if p is an odd prime. 


34. Use the Mobius inversion formula to show that ©, (x) = |] ain(X" — 1)#@/4) whenever n is 
a positive integer. (Hint: First take logarithms on both sides of the equation in part (a) of 
Exercise 33.) 


35. Use Exercise 34 to show that the coefficients of ®, (x), the cyclotomic polynomial of order 
n are integers whenever 7 is a positive integer. 


36. Show that if p and q are distinct odd primes, then each coefficient of the cyclotomic 
polynomial of order pg equals —1,0, or 1. 


Computations and Explorations 


1. Find yz(7) for each of the following values of 7. 
a) 421,602, 180,943 b) 186,728,732,190 c) 737,842,183,177 


2. Find M(n), the value of the Mertens function at n, for each of the following integers. (See 
the preamble to Exercise 7 for the definition of M(n).) 


a) 1000 b) 10,000 c) 100,000 


3. A famous conjecture made in 1897 by F. Mertens, and disproved in 1985 by A. Odlyzko 
and H. te Riele (in [Odte85]), was that |M(n)| < ./n for all positive integers n, where M(n) 
is the Mertens function. Show that this conjecture, called Mertens’ conjecture, is true for all 
integers n for as large a range as you can. Do not expect to find a counterexample, because the 
smallest n for which the conjecture is false is fantastically large. What is known is that there 
is a counterexample less than 3.21 - 10%. Before the conjecture was shown to be false, it had 
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been checked by computer for all integers n up to 10!°. This shows that even a tremendous 
amount of evidence can be misleading, because the smallest counterexample to a conjecture 
can nevertheless be titanically large. 


4. Compute the cyclotomic polynomials of order n (defined in the preamble of Exercise 32) 
for 1 <n < 50. (Many computer algebra systems, such as Maple and Mathematica, have 
commands that find cyclotomic polynomials.) 


5. Find the smallest n for which the cyclotomic polynomial of order n that has a coefficient 
other than 0 or +1 and the smallest n for which the cyclotomic polynomial of order n has a 
coefficient other than 0, +1 and +2. 


Programming Projects 


1. Given a positive integer n, find the value of w(n). 
2. Given a positive integer n, find the value of M(n). 


3. Given a positive integer n, check whether Mertens’ conjecture holds for n, that is, whether 
\M(n)| =|, wD < Va. 


4. Given a positive integer n, compute the cyclotomic polynomial of order n. 


Partitions 


A partition of a positive integer is a way to express it as a sum of positive integers 
where the order of the terms does not matter. In this section we will study partitions 
using a variety of ideas from number theory and from combinatorics. As such, we 
will be studying an aspect of combinatorial number theory. As you will see, partition 
theory is an amazingly rich area of study with many surprising results. Foremost among 
the many mathematicians who have studied partitions is Leonhard Euler, who made 
fundamental contributions to just about all of its aspects. Remarkably, new discoveries 
about partitions continue to be made today using a wide variety of techniques, many of 
which are elementary. 


We begin with some definitions. 


Definition. <A partition of the positive integer n is a way of writing n as the sum 
of positive integers where the order of the integers in the sum does not matter. We 
specify a partition A when we write it as a nonincreasing sequence of positive integers 
(Aj, A9,..-,A,)suchthata; +A,+---+A, =n. Theintegers A), A2,---,A,arecalled 
the parts of the partition 2. 


Example 7.18. The sequence (3, 1, 1) is a partition of 5 because 3+ 1+1=5 and 
3 > 1> 1. The parts of this partition are 3, 1, and 1. Note that the integer 1 occurs twice 
as a part, illustrating that different parts of a partition may be the same. < 


Another way to specify a partition of an integer is to give the number of times 
each integer occurs as a part. That is, we specify a partition of n when we write 
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n=ka,+k,a,+---+kja; +--+, where a;, a, ... are distinct nonnegative integers 
in increasing order. The integer k; is called the frequency of a;; it tells us how many 
times a; occurs in the partition. For example, 1-4+3-3+3-2+42- 1 specifies the 
partition (4, 3, 3, 3, 2, 2, 2, 1, 1), where the frequencies of 4, 3, 2, and 1 are 1, 3, 3, and 
2, respectively. 


We will study arithmetic functions that count a variety of different types of partitions. 
We now introduce the most important of these functions. 


Definition. The number of different partitions of n is denoted by p(n). We call p(n) the 
partition function. We also define p(0) = 1, which makes sense because there is exactly 
one partition of the integer 0, the empty partition that has no parts. 


Example 7.19. We have p(4) =5, as there are five partitions of 4, namely, (4), (3, 1), 
(2, 2), (2, 1, 1), and (1, 1, 1, 1). Note that p(7) = 15 because there are 15 different par- 
titions of 7, namely (7), (6, 1), (5, 2), (5, 1, 1, (4, 3), (4, 2, D, (4, 1,1, D, GB, 3, 0, 
(3, 2, 2), (3, 2, 1, 1), GB, 1, 1, 1, D, (@, 2, 2, 1), (2, 2, 1, 1, D, (2, 1, 1, 1, 1, 1), and 
(1, 1, 1, 1, 1, 1, 1, 1). < 


Fortunately to find p(n), we do not have to list all partitions of n. Instead, we 
can compute p(n) using a recurrence relation proved later in this section (Theo- 
rem 7.25). This recurrence relation has been used to find p(n) for n as large as 


25,000,000. It has also been shown that the number of partitions of n grows ex- 


wemely rapidly, as can be seen using the asymptotic formula p(n) ~ a. es- 


tablished in 1918 by Hardy and Ramanujan. (See [An98] for this formula and its 
proof.) This asymptotic formula approximates p(n) fairly well; for instance, p(1000) = 


1 et (O100073 
24, 061, 467, 864, 032, 622, 473, 692, 149, 727, 991, while << — 


mately 2.4402 x 107!. There is also an explicit formula for p(n), found by Rademacher 
in 1937. This formula gives p(n) as the value of a convergent series of terms where 
each terms is quite complicated. Unfortunately, this explicit formula does not provide a 
practical way to compute p(n). 


is approxi- 


Restricted Partitions 


The partition function p(n) counts all the partitions of n where there are no restrictions 
on the parts other than that they be positive integers. Consequently, p(7) is said to count 
the number of unrestricted partitions of n. Next, we will introduce a variety of related 
functions that count restricted partitions, that is, partitions where the parts are subject to 
one or more particular restrictions. The reader should be aware that this notation is not 
standardized; different authors use a variety of notations to represent these functions. 


Definition. Let S be a subset of the set of positive integers and m a positive integer. 
We define 


Ps(n) = number of partitions of n into parts from S, 


p(n) = number of partitions of n into distinct parts, and 
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Pm(n) = number of partitions of n into parts each > m. 
We combine these notations to further define 
4 (n) = number of partitions of n into distinct parts from S, 
p? (n) = number of partitions of n into distinct parts each > m, 
Pm,s(n) = number of partitions into parts each > m from S, and 
Pe g(”) = number of partitions of n into distinct parts each > m from S. 


We denote the set of odd integers by O and the set of even integers by E. So, with our 
notation, pg(n) denotes the number of partitions of n into odd parts and p;(n) denotes 
the number of partitions of n into even parts. 


When restrictions different from those covered by these notations arise, we will not 
introduce specific notation to count the partitions subject to these restrictions. Rather, 
we use the more flexible notation p(n | conditions) to count the partitions of n where the 
parts satisfy the conditions specified, as in p(n | no part appears once), p(n | every part 
occur an odd number of times), p(n | no even part is repeated), and so on. 


Example 7.20. The partitions of 7 were listed in Example 7.19. We have po(7) =5, 
p? (7) =5, and p2(7) = 4, because those with odd parts are (7), (5, 1, 1), (G, 3, 1), 
(3, 1, 1, 1, 1), and (1, 1, 1, 1, 1, 1, 1), those with distinct parts are (7), (6, 1), (5, 2), (4, 3), 
and (4, 2, 1), and those with all parts at least two are (7), (5, 2), (4, 3), and (3, 2, 2). 


We see that pp (7) = 1 because there is only one partition of 7 into odd and distinct 
parts, namely, (7). Also, we have p(n | no part appears only once) = 2, as (2, 2, 1, 1, 1) 
and (1, 1, 1, 1, 1, 1, 1) are the partitions of 7 where each part appears more than once. 

< 


Ferrers Diagrams 


Next, we describe a useful way to represent partitions graphically using a method devised 
by Norman Ferrers. To depict the partitionn =A,+A.+---+A, witha; >A. >---> 
A,, we use a diagram with k rows of dots with row j containing A ; dots, and all rows of 
dots left justified. Such a depiction of a partition is called a Ferrers diagram. 


Example 7.21. The Ferrers diagrams for the partitions (5, 2, 1, 1, 1), (4, 4, 2), and 
(3, 3, 3, 1) of 10 are shown in Figure 7.2. < 


We now tum our attention to the partition produced by interchanging the rows and 
columns of the Ferrers diagram of a given partition. 


Definition. Given a partition mn =A, +A, +---+A, with A; >A, >--->A,, we 
define a new partition A’ = A) +A, +--:+A/, the conjugate of A, where A; equals 
the number of parts of A that are at least i. A partition is self-conjugate if it is its own 
conjugate. 
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Figure 7.2 Ferrers diagrams for the partitions (5, 2, 1, 1, 1), (4, 4, 2), and (3, 3, 3, 1). 


Example 7.22. Consider the partition A = (4, 4, 3, 2, 1) of m = 14. All five parts of A 
are at least one, four parts are at least two, three of the parts are at least three, and two 
of the parts are at least four. Hence, A’, the conjugate partition of A, is (5,4, 3,2). < 


To see why the conjugate A’ of A is itself a partition of n, we look at Ferrers diagrams. 
We see that the number of dots in the ith row of the Ferrers diagram of 4’ equals the 
number of the dots in the ith column of the Ferrers diagram of A, because the number 
of dots in the ith column equals the number of rows with at least i dots. So, the Ferrers 
diagram of 4’ can be drawn by exchanging the rows of the Ferrers diagram for A for its 
columns. (Geometrically, the Ferrers diagram for 4’ is drawn by reflecting the Ferrers 
diagram for A across its diagonal beginning at its top left corner.) There are also the same 
number of dots in these two Ferrers diagrams. We also see that the parts of the conjugate 
A’ are in nonincreasing order, as when i < j, the number of parts of A which are at least 
j does not exceed the number of parts which are at least i. 


NORMAN MACLEOD FERRERS (1829-1903), boro in Gloustershire, En- 
gland, was an only child in a prosperous family. His father was a stockhroker 
from London and bis mother came from the Hebrides Islands. Ferrers attended 
Eton from 1844-1846, and from 1846-1847 he was taught by the mathemati- 
cian Harvey Goodwin. In 1847, Ferrers entered Gonville and Caius College at 
Cambridge University. He was a superb mathematics student, ranking at the top 
of his class, and was elected a fellow of his college in 1852. Lager, Ferrer moved 
to London, where he completed studies in law. However, deciding against a ca- 


reer in law, he reuumed to Camhridge to study for the priesthood. However, he changed direction again 
when his reputation lead to a offer of a position in mathematics and a lifelong career at Cambridge 
University. Ferrers was noted for his vivid exposition; he was praised as the best lecturer in the entire 
university. He was also noted as a university reformer and was appointed Vice-Chancellor of Cam- 
bridge University in 1884. Ferrers mamed in 1866; he and bis wife, Emily, had five children. He was 
also elected a member of the Royal Society in 1877. 

Ferrers wrote several books and many articles on subjects including Lagrange’s equations, 
spherical harmonics, wilinear and quadriplanar coordinates, and hydrodynamics. Ironically, you 
cannot find a discussion of what he is known for today, Ferrers diagrams, in his published works. 
Ferrers introduced these diagrams in his elegant solution of a problem appearing on a 1847 Tripos 
examination question at Cambridge. It is only through the writing of Sylvester that we lanow of Ferrer’s 
fundamental contribution to the study of partitions. Ferrers was grateful that Sylvester credited him 
with his idea and was pleased that his idea timed out so useful in the study of partitions. 
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Example 7.23. We display the Ferrers diagrams for the conjugates of the three parti- 
tions in Example 7.21 in Figure 7.3. By interchanging rows and columns, we see that 
the conjugate partition of (5, 2, 1, 1, 1) is itself, showing it is self-conjugate. The conju- 
gates of (4, 4, 2) and (3, 3, 3, 1) are (3, 3, 2, 2) and (4, 3, 3), respectively, so neither is 


self-conjugate. < 
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Figure 7.3 Ferrers diagram for the conjugates of the partitions in Example 7.21. 


Ferrers diagrams are useful for providing identities between functions counting 
different types of partitions. We illustrate this technique with an example. 


Theorem 7.18. If is a positive integer, the number of partitions of n with largest part 
r equals the number of partitions of n into 7 parts. 


Proof. If i is a partition of n with largest part 7, then its Ferrers diagram has exactly 
r columns. To construct the Ferrers diagram of its conjugate 4’, we interchange rows 
and columns in the Ferrers diagram. Consequently, the Ferrers diagram of the conjugate 
partition has exactly r rows. This means that it is the Ferrers diagram of a partition 
with exactly 7 parts. Furthermore, this correspondence can be reversed, as is easily seen. 
Hence, we have a bijection between partitions of n with largest part r and those with 
exactly r parts, completing the proof. = 


Using Generating Functions to Study Partitions 


We now introduce generating functions, an important tool for studying properties of 
sequences, especially those that arise in combinatorial problems. The generating function 
of a sequence a,,,n = 0, 1, 2, 3, . . . is the power series Bee, a,x". In this book, we will 
restrict ourselves to working with generating functions as formal power series. That 
is, we will only use generating functions as a way to encode the coefficients of the 
power Series, carrying out operations on formal power series using the same techniques 
that we use with polynomials. We will not be concerned with questions involving the 
convergence of these series. We will be able to use generating functions to prove many 
interesting identities about partitions. However, using techniques from analysis (see 
[An98] and [Gr82]), many deep theorems about partitions can be proved using generating 
functions. 


First, we study the generating function for the number of unrestricted partitions of 
integers. 
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Theorem 7.19. The generating function for p(n) equals 


oO 


fore) re 1 
Ro =|] er 


j=l 


Proof. To prove the theorem, we need only show that for all positive integers n, the 
coefficient of x” in the generating function for the infinite product on the right-hand 
side of the equation equals p(n). To see this, first note that for a fixed value of j, the 
generating function of —F isltxi4+x2774.--4+x 4... Consequently, 


[o,@) [o,@) 
Il l -=|[ [taxi +27 4---+24 4..>). 
j=l 


When we expand this product, terms of the sum are obtained by selecting for each 
positive integer j one factor of the form x“ and multiplying these terms together. 
Hence, the coefficient of x” in the generating function equals the number of solutions of 
kya, + kya2 + - - - =n where q; is a positive integer foreachi,a; Aa; ifi A j,andk;isa 
nonnegative integer for all 7. As noted previously, there are exactly p(n) such solutions, 
because there is a one-to-one correspondence between such solutions and partitions of 
n where k; is the frequency of the part a;. This proves the theorem. : 


Next, we find the generating function for p”, the number of partitions of an integer 
into distinct parts. 


Theorem 7.20. The generating function for p? equals 


dP? (m)x" =] Jat 2). 
n=0 j=l 


Proof. Observe that the coefficient of x” equals the number of ways to express x” as 
the product of distinct terms of the form x/ where j is a positive integer. Hence, the 
coefficient of x” in the sum formed by multiplying the factors in the infinite product 
equals the number of ways to write n as the sum of distinct exponents from the set of 
positive integers. It follows that this coefficient is exactly p? (n). This proves the theorem. 

a 


We can easily generalize Theorems 7.19 and 7.20 to restricted partitions of n where 
the parts are reswicted to belong to a subset S of the set of positive integers. These 
generalizations are given in Theorem 7.21. We leave its proof as an exercise. 


Theorem 7.21. Let S be a subset of the set of positive integers. Then the generating 
function for ps(n), the number of ways that n can be written as the sum of elements of S, 
and for pe (n), the number of ways that n can be written as the sum of distinct elements 
of S, equal 
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The next theorem illustrates how generating functions can be used to prove inter- 
esting results about partitions. Recall from Example 7.20 that there are five partitions of 
seven into odd parts and there are also five partitions of seven into distinct parts, that is, 
Po(7) = p? (7) =5. This is no coincidence, as the next theorem shows. 


Theorem 7.22. Euler Parity Theorem. If n is a positive integer, then pg(n) = 
p?(n). That is, there are the same number of partitions of n into odd parts as there 
are partitions of n into distinct parts. 


Proof. We will prove this theorem just as Euler did. We will show that the generating 
functions po(n) and p?(n) really are the same, even though the infinite products that 
represent them look different at first blush. 


By Theorems 7.20 and 7.21, we know that )°°., p?(n)x” = [72 ,+ x') and 
veo Poln)x" =TTjeo ai = ba <r: We will show that these two infinite 
products are equal. To do so, first note that 


1— x2 


~ 9 


[oe] 
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[[a+25=J] 
i=1 


i 


because (1 + x')(1 — x!) = 1— x”. Next, we observe that 


because all terms of the form 1 — x2! can be canceled from the numerator and de- 


nominator of the product. Putting things together, we conclude that graate! +x!)= 
[o,@] 


ame ear 

i=1 [-x2-1- 
We have now shown that the generating functions for py (n) and p?(n) are the same. 
This means that pg(n) = p?(n) for every positive integer n. rT 


Another way to prove Euler’s parity theorem is to find a bijection between partitions 
of n with odd parts and those with distinct parts. We outline such a proof in Exercise 
32. Although finding a bijection between two sets of partitions provides a great deal 
of insight behind a partition identity, it is often easier to prove such an identity using 
generating functions. In fact, mathematicians often continue to look for bijections to 
explain partition identities that were first proved using generating functions. 
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Euler’s Pentagonal Number Theorem 


We now turn our attention to another discovery about partitions made by Leonhard Euler, 
who uncovered a surprising identity with important consequences. From Theorem 7.20, 
we know that TT il+ x)= na p?(n)x". What can we say about the related infinite 
product TT j1- x'), where the plus sign in each term has been changed to a minus sign? 
What generating function does this infinite product represent? The following theorem 
answers this question. 


Theorem 7.23. We have 


lo, @) [o,@) 
[[a —-x')= > a,x" 
i=1 n=1 
where a,, = p(n | even number of distinct parts) — p(n | odd number of distinct parts). 


Proof. Consider all contributions to the x” term in the generating function when we 
multiply out the infinite product. Each such contribution comes from a partition of n into 
distinct integers and brings a sign of +1 if there are an even number of distinct parts and 
a sign of —1 if there are an odd number of distinct parts. Hence, the coefficient of x” in 
the generating function is p(n | even number of distinct parts) — p(n | odd number of 
distinct parts). 2 


What Euler discovered is that there is a simple formula for the coefficients in the 
generating function in Theorem 7.23. 


Theorem 7.24. Euler’s Pentagonal Number Theorem. If n is a positive integer, then 
p(n | even number of distinct parts) — p(n | odd number of distinct parts) = (— 1)* if 
n = k(3k + 1)/2 for some positive integer k, and it equals 0 otherwise. Equivalently, 


[o,@) : [o.@) [o.@) 
[[a _ x’) = a (- 1)*_7Gn-D/2 1+ re 1y"x"Gr-D2 (1 + x"). 
i=1 n=1 


n=—0O 


Remark. Euler used generating functions to prove Theorem 7.24. Instead of that ap- 
proach, we will present a simpler proof discovered in 1881 by Fabian Franklin, a profes- 
sor at Johns Hopkins University. This clever proof is often cited as the first substantial 
contribution of an American mathematician. 


Proof. To prove the theorem, we will set up a correspondence between partitions with 
an even number of distinct parts and those with an odd number of distinct parts. We 
will show that this correspondence is one-to-one except when n = k(3k + 1)/2 for some 
positive integer k. In these cases, one of the two sets of partitions contains an extra 
partition. 


We use the Ferrers diagram for a partition of n to set up this correspondence. 
Consider two parts of the diagram, the last row with b dots and the diagonal D starting at 
the last dot on the first row (going from the top right toward the bottom left), containing 
k dots. This diagonal is made up of the last dot in all rows starting at the top row that 
contain exactly one fewer dot than the row above it. 
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We now construct a new Ferrers diagram from the Ferrers diagram of our partition. 
When b < k, we move the dots in the last row. We insert one of these dots in each of the 
top b rows. (Note that because b < k, there are at least as many remaining rows as dots 
in the last row.) This produces a diagonal to the right of the diagonal D, and the resulting 
Ferrers diagram represents a partition with distinct parts. When b > k, we move the dots 
in D to form the last row of the new Ferrers diagram. We note that this new row has fewer 
dots than the preceding row. As the reader should verify, each of these two operations 
transforms a partition with an even number of distinct parts into one with an odd number 
of distinct parts, and vice versa. This sets up a one-to-one correspondence. We illustrate 
these transformations in Figure 7.4 


Oo e e e e e 
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b=2 


Figure 7.4 Examples of the two cases of (Franklin’s correspondence) with b < k and b > k, 
respectively. 


The exceptional cases arise when b = k or b = k + 1. In each of these cases, there 
is a partition with distinct parts that cannot be transformed into a second partition where 
the number of parts has opposite parity. These are precisely the two cases where the 
diagonal D and the last row have a common dot. When b = k, the Ferrers diagram has k 
rows, where the bottom rows has k dots, and all other rows have one more dots than the 
one below it, so thatm =k + (kK+1)+---+ (Qk —- =a -Yjyas= (2k — 
1)2k/2 — (k — 1I)k/2 = k(3k — 1)/2 (where we have used the formula from Example 
1.19). Similarly, when b = k + 1, the Ferrers diagram has k rows where the bottom 
row has k + 1 dots and all other row have one more dot than the row below it, so that 
n=(k+D+R+Q+--- +2 =D — Yi f= 2k2k+0/2-kk+D/2= 
k(3k + 1)/2. 

Consequently, when n = k(3k + 1)/2, the difference between the number of par- 


titions with an odd number of distinct parts and the number of partitions with an even 
number of distinct parts equals (—1)*. Otherwise, this difference equals 0. 7 
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The exceptional cases when n = k(3k + 1)/2 for some positive integer k are the 
reason why this theorem is called Euler’s pentagonal number theorem. Recall (from 
Exercise 10 in Section 1.2) that p, = k(3k — 1)/2 is the kth pentagonal number that 
counts the number of dots inside n nested pentagons. We extend this sequence to nega- 
tive indices by taking p_, = —k(—3k — 1)/2 = k(3k + 1)/2. The terms of the sequence 
Pp, K = 0, +1, +2, ... are called the generalized pentagonal numbers. So, the excep- 
tional cases of Theorem 7.24 arise precisely when n is a generalized pentagonal number. 


One consequence of Euler’s pentagonal number theorem is an amazing recurrence 
relation for p(n) also discovered by Euler. 


Theorem 7.25. Euler’s Partition Formula. Suppose that n is a positive integer, 
then p(n) = p(n — 1) + p(n — 2) — p(n — 5) — p(n —7) + p(n — 12) + p(n — 15) - 
+++ (—DET| [p(n — (3K — 1))/2) + pa — (kK + 12)/2))]1 +--+ = 
Proof. Using the infinite product expansion )°°° , p(n)x” =], Test together with 
the identity []7° (1 — x!) = 14+ D2 (-)"x"G"-Y/2(1 + x”) from Euler’s pentagonal 
number theorem, we see that 


ae ee: LlaS7) 
t= i= 


= (>> p@x")(1+ Soar PP + x"). 
n=0 n=1 


We now equate the coefficients of x” of the constant function 1 and the function on the 
last line of this string of equalities to see that for n > 0, 


0= p(n) — p(n —- 1) — pm —2) + pn—5)+ pa—-7)—---+ 
(—1)* p(n — k(3k — 1)/2) + (-1)* p(n — k(3k + 1)/2) +- =. 
Solving this last equation for p(n) completes the proof. 7 


In the late nineteenth century, Percy MacMahon used Euler’s partition formula to 
compute p(n) for 1 <n < 200, finding that p(200) = 3,972,999,029,388. Surprisingly, 
Euler’s recurrence relation is the most efficient way known for computing p(n). It can 
be shown (see Exercise 38) that this method computes p(n) using O(n?/*) operations. 


Ramanujan’s Contributions 


The famous Indian mathematician Srinivasa Ramanujan made many important contri- 
butions to the theory of partitions. We will now briefly describe some of these. 


Among the amazing discoveries made by Ramanujan about partitions are some 
congruences satisfied by values of the partition function. In particular, he showed that 


7.5 
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for all positive integers k, we have 
p(5k + 4) = 0 (mod 5), 
p(7k + 5) =0 (mod 7), and 
p(ilk + 6) =0 (mod 11). 


Elementary proofs of each of three congruences can be found in [An98], but will not be 
given here. 


Congruences of the form p(ak + b) = 0 (mod m), where a, b, and m are positive 
integers, are called Ramanujan congruences. Ramanujan and other mathematicians 
proved congruences of this form when m is a power of 5, 7, 11, or 13. For many years 
it was widely believed that Ramanujan congruences held for no others prime moduli. 
However, in 2000 Kenneth Ono made a surprising discovery when he used the powerful 
theory of modular forms to show that Ramanujan congruences exist modulo p for 
every prime p > 5. Soon afterward with Scott Algren, he proved that such congruences 
exist modulo m for every integer m relatively prime to 6. The Ramanujan congruences 
discovered by Ono are much more complicated than those discovered by Ramanujan. 
For instance, Ono’s work shows that 


p(11864749k + 56062) = 0 (mod 13) and 
p(48037937k + 1122838) = 0 (mod 17). 


Ramanujan is also known for bringing to light two important partition identities 
originally discovered by the English mathematician Leonard James Rogers in the 1890s, 
little known until Ramanujan rediscovered them. We refer the reader to [An98] for their 
proofs. 


Theorem 7.26. First Rogers-Ramanujan Identity. If n is a positive integer, then the 
number of partitions of n into parts differing by at least 2 equals the number of partitions 
of n into parts congruent to 1 or 4 modulo 5. 7 


Theorem 7.27. Second Rogers-Ramanujan Identity. If n is a positive integer, then 
the number of partitions of n that have parts that differ by at least 2 and that are at least 
2 equals the number of partitions of n into parts congruent to 2 or 3 modulo 5. 7 


The Roger-Ramanujan identities have been generalized in many ways. Work on such 
identities continues to be an active area of research. 


In this section, we have only scratched the service of partition theory. Readers who 
want to read more about this fascinating subject can leam more by consulting [AnEr04] 
or [An98]. 


EXERCISES 


. By listing all partitions of n, find p(n) when n equals 


a) 2 b)4 c) 6 d)9 
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. By listing all partitions of n, find p(n) when n equals each of these values. 


a) 3 b)5 c) 8 d) 11 


3. Use your answer to part (c) of Exercise 1 to find pg (6), p?(6), and p2(6). 


4. Use your answer to part (c) of Exercise 2 to find py(8), p?(8), and p2(8). 


5. Using your answer for part (d) of Exercise 1, find these values. 


a) Po(9) d) p?(9) g) py (9) 
b) pe (9) e) p2(9) h) P2,0(9) 
C) Ptm|m=1 (mod 3)}(9) f) p29) 

. Using your answer for part (d) of Exercise 2, find these values. 
a) Po (11) d) p?(11) 8) p? (11) 
b) pe(1)) e) p2(11) h) p3,0(11) 
C) PUn|m=1 (mod 3)}(11) f) pp (11) 


Denote the number of partitions of n into exactly k parts by p(n, k). 


Te 
8. 
9. 


10. 


11. 


12. 
13. 


14. 


15. 
16. 
17. 


18. 


19. 


Show that if n is a positive integer, then })_, p(t, k) = p(n). 
Find p(4, k) fork = 1, 2, 3, 4 and verify that 4 p(n, k) = p(4). 
Find p(5, k) for k = 1, 2, 3, 4, 5 and verify that )-?_, p(n, k) = p(5). 


Show that if is a positive integer, then p(n, k) satisfies the recursive formula p(1, 1) = 1, 
p(n, k) =0 if kk >n or K=O, and p(n, k) = pm —1,k —1)+ p(n—k,k) if n>2 and 
1<k<n. 

Find a formula for the number of partitions of a positive integer n made up of exactly two 
parts. 

Find the conjugate partition of the partition of n consisting of one part, namely, n itself. 
Find the conjugate partitions of each of these partitions of 15. Use your result to determine 
whether the partition is self-conjugate. 

a) 6, 4, 2, 2, 1 c) 4, 3, 3, 2, 1, 1,1 

b) 8,7 252,292.41 

Find the conjugate partitions of each of these partitions of 16. Use your result to determine 
whether the partition is self-conjugate. 

a) 5, 4, 2, 2, 2, 1 G)'3:-9,02, 29 1,1 

b) 11,5 d) 3, 3, 3, 3, 3,1 


Find all self-conjugate partitions of 15. 
Find all self-conjugate partitions of 16. 


Use Ferrers diagrams to show that p(n | at most m parts) = p(n | no part is greater than m) 
when n and m are positive integers with 1 < m <n. 


Use Ferrers diagrams to show that p?(n) = p(n | there are parts of every size from 1 to the 
size of the largest part). 


Find an infinite product for the generating function of p(n | parts are distinct powers of 2). 
Use Theorem 2.1 to find the generating function for this infinite product. 


20. 


21. 


22. 


23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 
35. 


36. 
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Find an infinite product for the generating function of py | ¢=1 (mod 3)} (7). Expand this product 
to find P{k | k=1 (mod 3)} (72) for 1 <ns< 16. 


Find an infinite product for the generating function of p(n | no even part is repeated). Expand 
this product to find p(n | no even part is repeated) for 1 <n < 10. 


Find an infinite product for the generating function of p(n | no part appears more than d 
times), where d is a positive integer. Expand this product to find p(n | no part appears more 
than 3 times) for 1 <n < 10. 


Find an infinite product for the generating function of py |g y4;(”), the number of parts of 
n where no part is divisible by d where d is a positive integer. Expand this product to find 
PK | 4yig(”) forl<n< 10. 


Find an infinite product for the generating function for p(n | for all j, part j occurs fewer 
than j times). Expand this product to find the number of partitions of n where j occurs fewer 
than j times for all j for 1 <n < 10. 


Find an infinite product generating function for p(n | no part is a perfect square). Expand this 
product to find the number of find the number of partitions of n where no part is a perfect 
square for 1 <n < 10. 


Use Exercises 21, 22, and 23 to show that py | 4/k}(n) = P( | no even part is repeated) = 
p(n | no part occurs more than three times) for all positive integers n. 


Use Exercises 22 and 23 to show that p,(n | no partoccurs more than d times) = pyx | g-41y%)(7) 
when d is a positive integer. 


Use Exercises 24 and 25 to show that p(n | forall j, part 7 occurs fewer than j times) = p(n | 
no part is a perfect square) for all positive integers n. 


Show that there are p(n) — p(n — 1) partitions of the positive integer n that do not contain 
the integer 1 as a part 

a) using generating functions. b) using a bijection. 

Use Ferrers diagrams to show that number of self-conjugate partitions of a positive integer 1 


equals the number pe (n), the number of partitions of n into distinct odd parts. (Hint: Count 
the dots in the first row or column of the Ferrers diagram of a self-conjugate partition to get 
the first row of the Ferrers diagram for a partition with distinct odd parts). 


Prove that py4,(”) = p(n | distinct powers of 2). To set up this bijection, merge pairs of ones 
into twos, pairs of twos into fours, and so on, continuing until all parts are distinct. Explain 
why this proves that every positive integer can be written uniquely as the sum of distinct 
powers of 2. 


Use a bijection to prove Euler’s parity theorem. (Hint: Starting with a partition with odd parts, 
successively merge parts of equal size until all parts are distinct; for the reverse direction, 
successively split even parts into two smaller parts of the same size.) 


Use Exercise 30 to show that p(n) is odd if and only if Pb (n), the number of partitions into 
distinct odd parts, is odd. 


Show that p(n) > p(n — 1) for every positive integer n. (Hint: Use Exercise 29.) 


Show that p(n) < p(n — 1) + p(n — 2) for all positive integer n > 2, and use this inequality 
to show that p(n) < f;,41 (the (n + 1)st Fibonacci number). (Hint: Use Exercise 34 and show 
that p(n — 2) < p(n | no part equals 1).) 


Show that if 1 is a positive integer, then p(n) < (p(n — 1) + p(n + 1))/2. 
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. Use Euler’s partition formula to find p(n) for all positive integers m with n < 12. 

. Show that p(n) can be computed using O (n>/) bit operations using Euler’s partition formula. 
. Prove Theorem 7.21. 

. Verify the first and second Rogers-Ramanujan identities for n = 9. 

. Verify the first and second Rogers-Ramanuyjan identities for n = 11. 


. Prove that if 7 is a positive integer, then p(n) = A ee, o (k) p(n — k). (Hint: Take logarithms 


of both sides of the equation in Theorem 7.19, then differentiate.) 


Computations and Explorations 


1. Find p(100). 


. Find p(500). 


. Use numerical evidence to conjecture a formula for the number of partitions of an integer n 


into exactly three parts. 


. Verify Ramanujan’s congruences p(5k + 4) =0 (mod 5), p(7k + 5) =0(mod7), and 


p(11k + 6) = 0 (mod 11) for as many positive integers k as you can. 


. Looking at values of p(n) for 1 <n < 1000, find congruences of the form p(5*k + b) = 


0 (mod 5*), p(7*k + b) = 0 (mod 7”), and p(5*k + b) = 0 (mod 5°) that may hold for all 
positive integers k. 


. Kohlberg has shown that there are infinitely many positive integers n for which p(n) is odd, 


and infinitely many for which p(7) is even. Parkin and Shanks conjectured that the proportion 
of n for which p(n) is even (or odd) approaches 1/2 as n grows. Determine the parity of p(n) 
for as many positive integers as you can to gather evidence for this conjecture. 


. Itis unknown whether there are infinitely many positive integers n for which p(n) is divisible 


by 3. Find as many positive integers n for which 3 divides p(n). 


. Erdés has conjectured that if m is a positive integer and r is ainteger withO < r < m, then there 


exists a positive integer such that p(n) =r (mod m). Furthermore, Newman has conjectured 
there are infinitely many such n given m and r. Gather as much evidence as you can to support 
these conjectures. 


. Find as many values of 7 as you can for which p(n) is a prime. 
10. 


Investigate how well the Hardy and Ramanujan asymptotic formula approximates p(n) asn 
grows. 


Programming Projects 


1, 
2. 
3. 


Given a positive integer n, find p(n) using Euler’s partition formula. 
Given a positive integer n, find p?(n) = po(n). 


Given a positive integer n and positive integers m and r with 0 <r < m, find ps(n), where 
S is the set of integers congruent to r modulo m. 


8.1 


Cryptology 


ow can you make a message secret, so that only the intended recipient of the 

message can recover it? This problem has interested people since ancient times, 
especially in diplomacy, military affairs, and commerce. In the modern world, malkang 
messages secret has become even more important, especially with the advent of elec- 
tronic messaging and the Internet. This chapter is devoted to cryptology, the discipline 
devoted to secrecy systems. We will introduce some of the classical methods for making 
messages secret, starting with methods used in the Roman Empire, 2000 years ago. We 
will describe variations and modifications of these classical methods developed in the 
past two centuries, all based on modular arithmetic, and introduce the basic terminology 
and concepts of cryptology through our study of these methods. In all these classical 
systems, two people who wish to communicate privately must share a common secret 
key. 


Since the 1970s, the notion of public key cryptography has been introduced and 
developed. In public key cryptography, two people who wish to communicate need not 
share a common key; instead, each person has both a private key that only this person 
knows and a public key that everyone knows. Using a public key system, you can send 
someone a message using their public key so that only that person can recover the 
message, using the corresponding private key. We will introduce the RSA cryptosystem, 
the most commonly used public key cryptosystem, whose security is based on the 
difficulty of factoring integers. We will also study a proposed public key cryptosystem, 
based on the knapsack problem, which (although promising) tumed out not to be suitable. 


Finally, we will discuss some cryptographic protocols. These are algorithms used 
to create agreements among two or more parties to achieve some common goal. We 
will show how cryptographic techniques that we have developed can be used to allow 
people to share common encryption keys, to sign electronic messages, to play poker 
electronically, and to share a secret. 


Character Ciphers 
Some Terminology 


Before discussing specific secrecy systems, we present the basic terminology of secrecy 
systems. The discipline devoted to secrecy systems is called cryptology. Cryptography is 
the part of cryptology that deals with the design and implementation of secrecy systems, 
while cryptanalysis is aimed at “breaking” (defeating) these systems. A message that is 
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to be altered into a secret form is called plaintext. A cipher, or encryption, method is a 
procedure method for altering a plaintext message into ciphertext by changing the letters 
of the plaintext using a transformation. The key determines a particular transformation 
from a set of possible transformations. The process of changing plaintext into ciphertext 
is called encryption, or enciphering, while the reverse process of changing the ciphertext 
back to the plaintext by the intended receiver, who possesses knowledge of the method 
for doing so, is called decryption, or deciphering. This, of course, is different from 
the process that someone other than the intended receiver uses to make the message 
intelligible, through cryptanalysis. 


By acryptosystem we mean the collection made up of a set of allowable plaintext 
messages, a set of possible ciphertext messages, a set of keys where each key specifies a 
particular encryption function, and the corresponding encryption functions and decryp- 
tion functions. Formally, a cryptosystem is a system that consists of a finite set P of 
possible plaintext messages, a finite set C of possible ciphertext messages, a keyspace K 
of possible keys, and for each key k in the keyspace K, an encryption function F, and 
a corresponding decryption function D;, such that D,(E;,(x)) =x for every plaintext 
message x. 


The Caesar Cipher 


In this chapter, we present secrecy systems based on modular arithmetic. The first of these 
had its origin with Julius Caesar; the newest systems that we will discuss were invented 
in the late 1970s. In all these systems, we start by translating letters into numbers. We 
take as our standard alphabet the letters of English and translate them into the integers 
from 0 to 25, as shown in Table 8.1. 


Letter ABCDEFGHIJKLMNOPQRS TUVWXYZ 


Numerical 


Equivalent = 


18/19}20/21 24 


22123 a 


Of course, if we were sending messages in Russian, Greek, Hebrew, or any other 
language, we would use the appropriate alphabet and range of integers. Also, we may 
want to include all ASCII characters, including punctuation marks, a symbol to indicate 
blanks, and the digits for representing numbers as part of the message. However, for 
the sake of simplicity, we restrict ourselves to the letters of the English alphabet. The 
transformation of letters to numbered equivalents can be done in many other ways 
(including translation to bit strings). Here we have chosen a simple and easily understood 
transformation for simplicity. 


0/1/2/3|4 7 10} 11/12) 13/14/15) 16}17)18 19 


sr 


Table 8.1 The numerical equivalents of letters. 


First, we discuss secrecy systems based on transforming each letter of the plaintext 
message into a different letter (or possibly the same) to produce the ciphertext. The en- 
cryption methods in these cryptosystems are called character, or monographic, ciphers, 
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because each character is changed individually to another letter by a substitution. Alto- 
gether, there are 26! possible ways to produce a monographic transformation. We will 
discuss some particular monographic transformations based on modular arithmetic. 


Julius Caesar used a cipher based on the substitution in which each letter is replaced 
by the letter three further down the alphabet, with the last three letters shifted to the first 
three letters of the alphabet. To describe this cipher using modular arithmetic, let P be 
the numerical equivalent of a letter in the plaintext and C be the numerical equivalent of 
the corresponding ciphertext letter. Then 


C=P+3(mod26), 0<C <25. 


The correspondence between plaintext and ciphertext is given in Table 8.2. 


A|B/C 
Plaintext (0/1|2)3 

3.4|5/6 
Ciphertext |_D/E F|G 


Table 8. 


S 
| 


[mr iam | 


FIG/H|IT|/J|K/LJM|N/O|P/Q\)R|S|T|U\V iW Y 
5|6| 7 9 |10 11/12}13)14)15 16) 17) 18) 19) 20/21 |22 23/24) 25 


1/2 
C 


To encrypt a message using this transformation, we first change it to its numerical 
equivalent, grouping letters in blocks of five. Then we transform each number. The group- 
ing of letters into blocks helps to prevent successful cryptanalysis based on recognizing 
particular words. We illustrate this procedure in Example 8.1 


8/9)10)11)12 
IJ/K/LIM|N/O;P|Q/R/S|T|U/Viw x YZ 


Ex 
jee] 


N 


The correspondence of letters for the Caesar cipher. 


Example 8.1. To encrypt the message 
THIS MESSAGE IS TOP SECRET, 
we break it into groups of five letters. The message becomes 
THISM ESSAG EISTO PSECR ET. 


Converting the letters into their numerical equivalents, we obtain 
19 7 8 18 12 4 18 18 0 6 4 8 18 19 14 


15 18 4 2 17 4 19. 
Using the Caesar transformation C = P + 3 (mod 26), this becomes 
22 10 11 21 15 7 21 2139 7 11 21 22 17 


18 21 7 5 20 Pe 
Translating back to letters, we have 
WKLVP HVVDJ HLVWR SVHFU HW. 


This is the encrypted message. < 
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The receiver decrypts a message in the following manner. First, the letters are 
converted to numbers. Then, the relationship P = C — 3 (mod 26), 0 < P < 25, is used 
to change the ciphertext back to the numerical version of the plaintext, and finally the 
message is converted to letters. 


We illuswate the deciphering procedure in the following example. 


Example 8.2. To decrypt the message 
WKLVL VKRZZ HGHFL SKHU 


encrypted by the Caesar cipher, we first change these letters into their numerical equiv- 
alents, to obtain 


2210 112111 2110172525 767511 18107 20. 


Next, we perform the transformation P = C — 3 (mod 26) to change this to plaintext, 
and we obtain 


1978188 187 1422 22 43428 1574 17. 
We translate this back to letters and recover the plaintext message. 
THISI SHOWW EDECI PHER 
By combining the appropriate letters into words, we find that the message reads 


THIS IS HOW WE DECIPHER < 


Affine Transformation 
The Caesar cipher is one of a family of similar ciphers described by a shift transformation. 


C=P+k(mod26), 0<C <25, 


where k is the key representing the size of the shift of letters in the alphabet. There are 
26 different transformations of this type, including the case of k = 0 (mod 26), where 
letters are not altered, because in this case C = P (mod 26). 


More generally, we will consider wansformations of the type 
(8.1) C =aP +b (mod 26), 0<C <25, 


where a and b are integers with (a, 26) = 1. These are called affine transformations. 
Shift transformations are affine transformations with a = 1. We require that (a, 26) = 1, 
so that as P runs through a complete system of residues modulo 26, C also does. There 
are (26) = 12 choices for a, and 26 choices for b, giving a total of 12 -26 = 312 
wcansformations of this type (one of these is C = P (mod 26) obtained when a = 1 and 
b = 0). If the relationship between plaintext and ciphertext is described by (8.1), then 
the inverse relationship is given by 


P =a(C — b) (mod 26), O< P <25, 
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where a is an inverse of a (mod 26), which can be found using the congruence a = 
a?(26)~1 — q!! (mod 26). 

We illustrate how affine transformations work in Example 8.3. 
Example 8.3. Let a = 7 and b = 10 in an affine cipher with C =aP + b (mod 26), so 


that C =7P + 10 (mod 26). Note that P = 15(C — 10) = 15C + 6 (mod 26), because 
15 is an inverse of 7 modulo 26. The correspondence between letters is given in Table 8.3. 


A|B/C\D/E/F GH IT|J|K;/LIM|N/O/P|Q|R|S|T/U;/ViW X|Y)\Z 
Plaintext |0|1|)2/3)4/5 (6/7 9 |10/11)12)13)14)15|16/17|18/19 20)21|22|23|24/25 
10/17/24 5 12)19|0|7 14/21) 2 | 9 |16 23) 4 |11)18)25| 6 |13/20) 1) 8 |15)22) 3 
Ciphertext |/K;/R|/Y/F/M/T|AH|/O|V/C|J/Q;)X E | L|S|Z\|G|N|U/B/I|} P|W\|D 


Table 8.3 The correspondence of letters for the cipher with C = 7P + 10 (mod 26). 


To illustrate how we obtained this correspondence, note that the plaintext letter L 
with numerical equivalent 11 corresponds to the ciphertext letter J, because 7 - 11+ 10 = 
87 = 9 (mod 26) and 9 is the numerical equivalent of J. 


To illustrate how to encrypt, note that 
PLEASE SEND MONEY 
is transformed to 
LJMKG MGMXF QEXMW. 
Also note that the ciphertext 
FEXEN ZMBMK JNHMG MYZMN 
corresponds to the plaintext 
DONOT REVEA LTHES ECRET, 
or, combining the appropriate letters, 
DO NOT REVEAL THE SECRET. < 
We now discuss some of the techniques directed at the cryptanalysis of ciphers based 
on affine transformations. In attempting to break a monographic cipher, the frequency of 
letters in the ciphertext is compared with the frequency of letters in ordinary text. This 
gives information concerning the correspondence between letters. In various frequency 
counts of English text, one finds the percentages listed in Table 8.4 for the occurrence 


of the 26 letters of the alphabet. Counts of letter frequencies in other languages may be 
found in [Fr78] and [Ku76]. 
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Letter ABCDEFGHI J K LMNOPQRSTUVWx ¥ Z| 


Frequency (4/1 /3/4|13/3/2/3|8/<1/<1/4/3/8/7/3/<1/81619/3/1/1\/<1/2/ <1 
(in %) 


Table 8.4 The frequencies of occurrence of the letters of the alphabet. 


~ 


From this information, we see that the most frequently occurring letters in typical 
English text are E, T, N, R, I, O, and A, with E occurring substantially more than the 
other letters, 13% of the time, and T, N, R, I, O, and A each occurring between 7% and 
9% of the time. We can use this information to determine which cipher based on an affine 
transformation has been used to encrypt a message. We illustrate how this cryptanalysis 
is done in the following example. 


Example 8.4. Suppose that we know in advance that a shift cipher has been employed 
to encrypt a message; each letter of the message has been transformed by a correspon- 
dence C = P + k (mod 26), 0 < C < 25. To cryptanalyze the ciphertext 
YFXMP CESPZ CJTDF DPQFW QZCPY 
NTASP CTYRX PDDLR PD, 


we first count the number of occurrences of each letter in the ciphertext. This is displayed 
in Table 8.5. 


We notice that the most frequently occurring letter in the ciphertext is P, with the 
letters C, D, F, T, and Y occurring with relatively high frequency. Our initial guess would 
be that P represents E, since E is the most frequently occurring letter in English text. If 
this is so, then 15 = 4 +k (mod 26), so that k = 11 (mod 26). Consequently, we would 
have C = P + 11 (mod 26) and P = C — 11 (mod 26). This correspondence is given in 
Table 8.6. 


| Letter ABCDEFGHIJKLMNOPQRSTUVWXY¥Z| 


Number of —|1J0/4/5|1]3/0/0[o/1/0/1|1|1]0|7|2/2/2/3|0/0/ 1/2/32 
Occurrences 


Table 8.5 The number of occurrences of letters in a ciphertext. 


A|B C|D/E| Fi|G/H|I|J/K;/LIMIN/O P/Q R|S|T U\VIW XY) Z 
Ciphertext/0|1/2|)3/)4/5 > 6/7) 8/9 |10/11/12/13/14) 15/16) 17/18) 19)20/21|22/23 24 25 
15/16)17/18)19)20|21 22/23/24 25)0}1/2)3/4/5|6) 7/8) 9 )10/11)12)13)14 
Plaintext |P/QiR|S| T\U/VW X/Y Z\|A|B\|C|D/E|/F|G)H|I|J|/K;/L|M|\N|/O 


Table 8.6 Correspondence of letters for the sample ciphertext. 
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Using this correspondence, we attempt to decrypt the message. We obtain 
NUMBE RTHEO RYISU SEFUL FOREN 
CIPHE RINGM ESSAG ES. 


This can easily be read as 


NUMBER THEORY IS USEFUL FOR 
ENCIPHERING MESSAGES. 
Consequently, we made the correct guess. If we had tried this transformation, and instead 


of plaintext, it produced garbled text, we would have tried another likely transformation 
based on the frequency count of letters in the ciphertext. 4 


Example 8.5. Suppose we know that an affine transformation of the form C =aP +b 
(mod 26), 0 < C < 25, has been used for encryption. For instance, suppose that we wish 
to cryptanalyze the encrypted message 


USLEL JUTCC YRTPS URKLT YGGFV 
ELYUS LRYXD JURTU ULVCU URJRK 
QLLQL YXSRV LBRYZ CYREK LVEXB 
RYZDG HRGUS LJLLM LYPDJ LJITJU 
FALGU PTGVT JULYU SLDAL TJRWU 
SLJFE OLPU. 


The first thing to do is to count the occurrences of each letter; this count is displayed 
in Table 8.7. 


With this information, we guess that the letter L, which is the most frequently 
occurring letter in the ciphertext, corresponds to E, while the letter U, which occurs 
with the second-highest frequency, corresponds to T. This implies, if the transformation 
is of the form C =aP + b (mod 26), the pair of congruences 


4a + b = 11 (mod 26) 
19a + b = 20 (mod 26). 


By Theorem 4.15 we see that the solution of this system is a = 11 (mod 26) and b = 19 
(mod 26). 


If this is the correct enciphering transformation, then using the fact that 19 is an 
inverse of 11 modulo 26, the deciphering transformation is 


P =19(C — 19) = 19C — 361= 19C + 3 (mod 26), 0 < P < 25. 


fae. AGC Re Oe ela Nor cecnte eae 


Number of $3 10 14 18 


Occurrences 
Table 8.7 The number of occurrences of letters in a ciphertext. 


22/44 6 10/3 22) 1/|0 2|12 16/5} 1/3|10)2 
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A|B|C|D|E/ F G/H I K LIM|N/O/|P/Q\|R|S|T/U/VW X|Y)\Z 
Ciphertext 0} 1 | 2/3)/4 5|6/7 8 | 9 /10)11/12 13/14) 15]16/17 18)19)20)21|22/23)24|25 
3 |22/15| 8| 1|20/ 13) 6|25/18)11)| 4 |23)16| 9 | 2 |21/14) 7 | 0 }19)12) 5 }24,17/10 
Plaintext D|W P|I|BUIN|GZ|S|LIE/X Q\J;C\ViO;H|\A|/TM|F\Y|R|K 


Table 8.8 The correspondence of letters for the sample ciphertext. 


This gives the correspondence found in Table 8.8. 


With this correspondence, we try to read the ciphertext, which becomes 


THEBE STAPP ROACH TOLEA RNNUM 
BERTH EORYI STOAT TEMPT TOSOL 
VEEVE RYHOM EWORK PROBL EMB YW 
ORKIN GONTH ESEEX ERCIS ESAST 
UDENT CANMA STERT HEIDE ASOFT 
HES UB JECT. 


We leave it to the reader to combine the appropriate letters into words to see that the 
message is intelligible. < 


The methods described in this section can be extended to construct cryptosystems 
more difficult to break than character ciphers. For example, plaintext letters can be shifted 
by different amounts, as is done in Vigenére ciphers, described in Section 8.2. Additional 
methods based on enciphering blocks of letters rather than individual characters will also 
be described in Section 8.2 and in subsequent sections of this chapter, as will ciphers 
where the key used to encrypt characters changes from character to character. 


EXERCISES 


1. Using the Caesar cipher, encrypt the message ATTACK AT DAWN. 
. Decrypt the ciphertext message LFDPH LVDZL FRQTX HUHG, which has been encrypted 


using the Caesar cipher. 


. Encrypt the message SURRENDER IMMEDIATELY using the affine transformation C = 


11P + 18 (mod 26). 


. Encrypt the message THE RIGHT CHOICE using the affine transformation C = 15P + 14 


(mod 26). 


. Decrypt the message YLFQX PCRIT, which was encrypted using the affine transformation 


C =21P +5 (mod 26). 


. Decrypt the message RTOLK TOIK, which was encrypted using the affine transformation 


C =3P + 24 (mod 26). 


. If the most common letter in a long ciphertext, encrypted by a shift transformation C = P + k 


(mod 26), is Q, then what is the most likely value of k? 


10. 


11. 


12. 


13. 


14. 
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. The message KYVMR CLVFW KYVBV PZJJV MVEKV VE was encrypted using a shift 


transformation C = P + k (mod 26). Use frequencies of letters to determine the value of k. 
What is the plaintext message? 


. The message IVQLM IQATQ SMIKP QTLVW VMQAJ MBBMZ BPIVG WCZWE 


VNZWU KPQVM AMNWZ BCVMK WWSOM was encrypted using a shift transforma- 
tion C = P + k (mod 26). Use frequencies of letters to determine the value of k. What is the 
plaintext message? 


If the two most common letters in a long ciphertext, encrypted by an affine transformation 
C =aP + b (mod 26), are X and Q, respectively, then what are the most likely values for a 
and b? 


If the two most common letters in a long ciphertext, encrypted by an affine transformation 
C =aP + b (mod 26), are W and B, respectively, then what are the most likely values for a 
and b? 


The message MJMZK CKUNM GWIRY VCPUW MPRRW GMIOP MSNYS RYRAZ 
PXMCD WPRYE YXD was encrypted using an affine transformation C = aP + b (mod 26). 
Use frequencies of letters to determine the values of a and b. What is the plaintext message? 


The message WEZBF TBBNJ THNBT ADZQE TGT YR BZAJN ANOOZ ATWGN ABOVG 
FNWZV A was encrypted using an affine transformation C = aP + b (mod 26). The most 
common letters in the plaintext are A, E, N, and S. What is the plaintext message? 


The message PIXFJ SWJINX JMRTJ FVSUJ OOJWF OVAJR WHEOF JRWJO DJFFZ BJF 
was encrypted using an affine transformation C = aP + b(mod 26). Use frequencies of letters 
to determine the values of a and b. What is the plaintext message? 


Given two ciphers, plaintext may be encrypted by first using one of the ciphers, and then using 
the other cipher on this result. This procedure produces a product cipher. 


15. 


16. 


Find the product cipher obtained by using the transformation C = 5P + 13 (mod 26) followed 
by the transformation C = 17P + 3 (mod 26). 


Find the product cipher obtained by using the transformation C =a P + b (mod 26) followed 
by the transformation C = cP + d (mod 26), where (a, 26) = (c, 26) = 1. 


Computations and Explorations 


1. 


Find the frequency of the letters of the English alphabet in different types of English text, 
such as in this book, in computer programs, and in a novel. 


. Encrypt some messages using affine transformations, as ciphertexts for your classmates to 


decipher. 


. Decrypt messages that were enciphered by your classmates using affine transformations, 


using letter-frequency analysis. 


Programming Projects 


1. 
2. 


Given a plaintext message, encrypt it using the Caesar cipher. 


Given a plaintext message, encrypt it using the transformation C = P + k (mod 26), where 
kK is a given integer. 
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. Given a plaintext message, encrypt it using the transformation C = aP + b (mod 26), where 


a and b are integers with (a, 26) = 1. 


. Given a ciphertext message that has been encrypted using the Caesar cipher, decrypt it. 
. Given a key k and a ciphertext message produced using the cipher C = P + k (mod 26), 


decrypt it. 


. Given a valid key pair a, b for the affine cipher and a ciphertext message produced by the 


cipher C =aP + b (mod 26), decrypt it. 


Given ciphertext that was produced using a cipher of the form C = P + k (mod 26), where 
k is an unknown key, find k using frequency counts. 


. Given ciphertext that was produced using a cipher of the form C = aP + b (mod 26), where 


a, bis a valid key pair for the affine cipher, find a and b using frequency counts. 


Block and Stream Ciphers 


In Section 8.1, we studied character (or monographic) ciphers based on the substitution 
of characters. These ciphers are vulnerable to cryptanalysis based on the frequency of 
letters in the ciphertext. To avoid this weakness, we can use ciphers that substitute for 
each block of plaintext letters of a specified length a block of ciphertext letters of the 
same length. Ciphers of this sort are called block, or polygraphic, ciphers. In this section, 
we will discuss several varieties of block ciphers, including polygraphic ciphers based 
on modular arithmetic. We will describe a cipher known since the sixteenth century 
that employs several different character ciphers determined by a keyword, and a cipher 
invented by Hill around 1930 (see [Hi31]) that encrypts blocks using modular matrix 
multiplication. We will also discuss (but do not describe in full detail) a more complicated 
block cipher important in commercial use, the Data Encryption Algorithm. At the end 
of this section, we will describe another type of cipher, a stream cipher, where the key 
can change as successive characters (or bits) are encrypted. 


Vigenére Ciphers 


We begin by describing the Vigenére cipher, named for French diplomat and cryptog- 
rapher Blaise de Vigenére. Instead of encrypting each letter of a plaintext message in 
the same way, we will vary how we encrypt letters. The key of a Vigenére cipher con- 
sists of a keyword £),£...£,. Suppose that the numerical equivalents of the letters 
£1, lp, ..., £, ate ky, ko, ...,k,, respectively. To encrypt a plaintext message, we first 
split it into blocks of length n. A block consisting of letters with numerical equivalents 
P1, P2,---+ Pn is transformed into a ciphertext block of letters with numerical equiva- 
lents c}, C2, ..., €, using a sequence of shift ciphers with 


c; = pj +k; (mod 26), g< c; < 25, 


fori = 1, 2,...,n.The Vigenére ciphers are the encryption algorithms for the cryptosys- 
tem where blocks of plaintext letters of length n are encrypted to blocks of ciphertext 
letters of the same length. The keys are n-tuples (k1, kp, ..., k,) of letters. (A terminal 
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group of fewer than m dummy letters can be used to fill out a final block.) That is, Vi- 
genére ciphers can be thought of as block ciphers operating on blocks of length n using 
keys of length n. 


Example 8.6. To encrypt the plaintext message MILLENNIUM using the key YT- 
WOK fora Vigenére cipher, we first translate the message and the key into their numerical 
equivalents. The letters of the message and the letters of the key translate to 


P1P2P3P4PSP6P7PsP9P\0 = 12 8 11 11 4 13 13 8 20 12 
and 
kikokgkgks = 24 19 22 14 10, 


respectively. Applying the Vigenére cipher with the specified key, we find that the 
characters in the encrypted message are: 
Cy = Py + ky = 12+ 24 = 10 (mod 26) 
C2 = Pz + kp =8 + 19 = 1 (mod 26) 
C3 = py + ky = 114+ 22 =7 (mod 26) 
C4 = pa + kg = 11+ 14= 25 (mod 26) 
Cs5= ps +ks = 4+ 10 = 14 (mod 26) 
Co = Pg + ky = 13 + 24 = 11 (mod 26) 
C7 = P7 +k, = 13 + 19= 6 (mod 26) 
Cg = Pg + kx =8 + 22 =4 (mod 26) 
Co = Po + ky = 20+ 14 = 8 (mod 26) 
C10 = Pig + ks = 12 + 10 = 22 (mod 26). 


BLAISE DE VIGENERE (1523-1596), born in the village of Saint-Pourgain, 
France, ceceived an excellent education. At 17 he was sent to court, and at 22 to 
the Diet of Wonms as a secretary. He became a secretary for the Dulse of Nevers 
in 1547, and in 1549 he was sent to Rome as a diplomat. While there, he read 
numerous books on cryptography, a subject that he discussed with experts of the 
papal curia In 1570, after a long career in diplomacy, interrupted by a period of 
study, Vigenére cetired from court. He married a young wife, tumed his annuity 
over to the poor of Paris, and dedicated himself to writing. He was the author 
of more than 20 books, the best known being his Traicté des Chiffres, written in 1585. In this book, 
Vigenéte provides a comprehensive overview of cryptography. He discusses polyalphabetic ciphers 
at length and introduces several variations of known polyalphabetic ciphers, including the autokey 
cipher. Many historians believe that this cipher should have been called the “Vigenére” rather than 
the simpler one that now bears his aame. 

Vigenére did not write only about cryptography. His Traicté des Chiffres also contains discussions 
of magic, alchemy, and the mysteries of the universe. His Traicté des Cométes helped destroy the myth 
that God flings comets at Barth to warn people to stop sinning. 
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Translating the numerical equivalents of numbers back to letters we see that the encrypted 
message is KBHZO LGEIW. < 


Example 8.7. To decrypt the ciphertext message FFFLB CVFX encrypted using a 
Vigenére cipher with key ZORRO, we first translate the letters of the ciphertext message 
into their numerical equivalents to obtain c,c.C¢3C¢4C5CgC7CgcCgo = 5 55 11 1 2 215 23. 
The numerical equivalents of the letters in the key are kjkyk3k4k5 = 25 14 17 17 14.To 
obtain the numerical equivalents of the plaintext letters, we proceed as follows: 


p1 =c; — ky =5 — 25 = 6 (mod 26) 

P2 = Co — ky = 5 — 14 =17 (mod 26) 
P3=c3 — kz =5— 17= 14 (mod 26) 
P4=c4 — kg = 11 - 17 = 20 (mod 26) 
Ps = Cs — ks = 1— 14 = 13 (mod 26) 
P6 = % — ky =2 — 25 = 3 (mod 26) 

py = cq — ky = 21— 14=7 (mod 26) 
Pg = Cg — k3 = 5 — 17= 14 (mod 26) 
Po = cy — ky = 23 — 17 = 6 (mod 26). 


Translating the numerical equivalents back to letters, we see that the plaintext message 
was GROUNDHOG. < 


Cryptanalysis of Vigenére Ciphers 


The Vigenére cipher was considered unbreakable for many years. It was used exten- 
sively to encrypt sensitive information transmitted by telegraphy. However, by the mid- 
nineteenth century, techniques were developed that could successfully break Vigenére 
ciphers. In 1863, Friedrich Kasiski, a Prussian military officer, described a method, now 
known as Kasiski’s test, for determining the key length of a Vigenére cipher. Once the 
key length is known, frequency analysis of letters in the ciphertext can be used to de- 
termine the characters of the key. As with many discoveries named after their presumed 
first inventor, Kasiski was not the first person to discover this method. We now know 
that Charles Babbage discovered the same test in 1854. However, the publication of 
Babbage’s discovery was delayed for many years. The reason for this delay was British 
national security. The British military used Babbage’s test to break secret messages sent 
by their adversaries and did not want this to become known. 


Kasiski’s method is based on finding identical strings in ciphertext. When a message 
is encrypted using a Vigenére cipher with key length n, identical strings of plaintext 
separated by a multiple of n are encrypted to the same string (see Exercise 5). Kasiski’s 
test is based on locating identical strings in the ciphertext, generally of length three 
or more, which likely correspond to identical strings in the plaintext. For each pair of 
identical ciphertext strings, we determine the difference between the positions of their 
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initial characters. Suppose there are k such pairs of identical strings in the ciphertext and 
d,, dy, d3, ..., d, are the differences in the positions of their initial characters. If these 
pairs of identical ciphertext strings really do correspond to identical plaintext strings, the 
key length n must divide each of the integers d;, i = 1, 2, ..., k. It would then follow 
that n divides the greatest common divisor of these integers, (d,, dy, ..., dy). 


Because different strings of plaintext may be encrypted to the same ciphertext by 
different parts of the encryption key, some differences in starting positions of identical 
strings of ciphertext are extraneous and should be discarded. To overcome this problem, 
we can compute the greatest common divisor of some, but not all, of these differences. 


We can run a second test to help us assess whether we have found the correct key 
length. This test, developed by the famous American cryptographer William Friedman 
in 1920, estimates the key length of a Vigenére cipher by studying the variation in 
frequencies of ciphertext letters. Friedman observed that there is considerable variation 
in the frequencies of the letters in English text, but as the length of the key used in a 
Vigenére cipher increases, this variation becomes smaller and smaller. 


Friedman introduced a measure called the index of coincidence. Given a string of 
n characters x), X2, ..., X,, its index of coincidence, denoted by IC, is the probability 
that two randomly chosen elements of this string are the same. We now assume that we 
are working with strings of English letters and that the letters A, B,..., Y, and Z occur 
to: fi. ---» fa4, and fs times, respectively, in a string. 


Because the ith letter occurs f; times, there are 
fi\_ fii-D 
i? a 


ways to choose two of its elements so that both are the ith character. Because there are 
(5) = n(n — 1)/2 ways to choose two characters in the string, we can conclude that the 
index of coincidence for this string is 


Bare heres 
n(n — 1) 


C= 


Now consider a string of English plaintext. If the plaintext is sufficiently long, we 
expect the frequencies of letters to approximate their frequencies in typical English 
(shown in Table 8.4). Suppose that pop, pj, ..., P25 are the expected probabilities of 
A, B,..., Y, and Z, respectively. It follows that the probability two randomly chosen 
letters are both A is Das the probability both are B is ae and so on. Consequently, we 
would expect the index of coincidence of this plaintext to be approximately 


25 
>> p; © 0.065. 
i=0 


(The values p;,i =0, 1,..., 25 used in this computation can be found in [St05].) 
Moreover, this reasoning applies for ciphertext produced by character ciphers. For a 
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character cipher, the probability of occurrence of a character in ciphertext equals the 
probability of occurrence of the corresponding plaintext character. Consequently, for 
ciphertext encrypted with a character cipher, the terms of the sum 5 aa p? are permuted, 
but the sum is not changed. 


To use indices of coincidence to determine whether we have guessed correctly 
that the key has length k, we break the ciphertext message into k different parts. The 
first part contains characters in positions 1, k + 1, 2k +1, ...; the second part contains 
the characters in positions 2, k + 2, 2k +2,...; and so on. We compute the index 
of coincidence for each of these different parts separately. If our guess was correct, 
each of these indices of coincidence should be approximately 0.065. However, if we 
guessed wrong, these values will most likely be less than 0.065. They probably will be 
considerably closer to the index of coincidence of a random string of English characters, 
namely 1/26 © 0.038. (This index of coincidence can be computed using the probabilities 
of occurrence of letters in typical English text.) 


For each part of the ciphertext, we attempt to find the letter of the key that was used to 
encryptletters in this part by examining letter frequencies. We determine the most likely 
possibilities for the letters of the key by determining the letters that are most frequent in 
the ciphertext and presuming they correspond with the most common letters of English. 
To determine whether we have guessed correctly, we can compare the frequencies we 
expect when letters are encrypted by shifting them using this letter of the key with the 
observed frequencies for this part of the ciphertext. 


Once we have made our best guess for each letter of the key, we attempt to decrypt the 
message using the key we have computed. If we recover a meaningful plaintext message, 
we presume we have recovered the correct plaintext. On the other hand, if we end up 
with nonsense, we go back to the drawing board and check out other possibilities. 


We now illustrate the cryptanalysis of ciphertext encrypted using a Vigenére. 


Example 8.8. Suppose that the ciphertext produced by encrypting plaintext using a 
Vigenére cipher is 


QWHID DNZEM WTLMT BKTIT EMWLZ 
WVCVE HLTBS TUDLG WNUJE WJEUL 
EXWQO SLNZA NLHYQ ALWEH VOQWD 
VQTBW ILURY STIJW CLHWW RNSIH 
MNUDI YFAVD ELAGB LSNZA NSMIF 
GNZEM WALWL CXEFA BYJTS SNXLH 
YHULK UCLOZ ZAIJHI HWSM. 


We describe the steps we use to break this message. We first use the Kasiski test, 
looking for repeated triples of letters in the ciphertext. We list our finding in a table: 
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Triple Starting positions Differences in starting positions 


EMW 9, 21, 129 12, 108, 120 
ZEM 8, 128 120 

ZAN 59, 119 60 

NZE 7, 127 120 

NZA 58, 118 60 

LHY 62, 149 87 

ALW _ 66, 132 66 


The differences between identical ciphertext blocks of length three are 12, 60, 66, 87, 
108, and 120. Because (12, 60, 66, 87, 108, 120) = 3, we guess that the key length 
equals 3. 


Assuming that this guess is correct, we split the ciphertext into three separate 
parts. The first contains the letters in positions 1, 4, 7, ..., 169; the second contains 
the letters in positions 2, 5, 8, ..., 167; and the third contains the letters in positions, 
3, 6, 9, ..., 168. To confirm that our guess is correct, we compute the indices of 
coincidence for each of these three parts of the ciphertext, obtaining 0.071, 0.109, 
and 0.091, respectively. (We leave the details of these computations to the reader. See 
Exercise 12.) One of these numbers is relatively close to the index of coincidence for 
English text, 0.065, and the other two are even larger. This indicates that 3 might be the 
correct key length. Because our ciphertext is rather short, we are not too worried that 
these indices of coincidence are not as close to 0.065 as we might like. Note that if our 
guess was wrong, we would expect some of these indices of coincidence to be smaller 
than 0.065, perhaps even near 0.038. 


After some work, which we leave to the reader, we find the key used to encrypt the 
message is USA and the corresponding plaintext is 


WEHOL DTHES ETRUT HS TOB ESELF 
EVIDE NTTHA TALLM ENARE CREAT 
EDEQU ALTHA TTHEY AREEN DOWED 
BYTHE IRCRE A TORW ITHCE RTAIN 
UNALI ENABL ERIGH TSTHA TAMON 
GTHES EAREL IFELI BERTY ANDTH 
EPURS UITOF HAPPI NESS. 


This plaintext comes from the Declaration of Independence of the United States. It 
reads: “We hold these truths to be self-evident, that all men are created equal, that 
they are endowed by their Creator with certain unalienable Rights, that among these 
are Life, Liberty, and the pursuit of Happiness.” For more information on cryptanalysis 
of Vigenére ciphers, see [St05] and [TrWa02]. < 
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Hill Ciphers 


Hill ciphers are block ciphers invented by Lester Hill in 1929. To introduce Hill ciphers, 
we first consider diagraphic ciphers; in these ciphers, each block of two letters of 
plaintext is replaced by a block of two letters of ciphertext. We illustrate this process 
with an example. 


Example 8.9. To encrypt a message using digraphic Hill ciphers, we first split a 
message into blocks of two letters (adding a dummy letter, say, X, at the end of the 
message, if necessary, so that the final block has two letters). For instance, the message 


THE GOLD IS BURIED IN ORONO 


is split up as 
TH EG OL DI SB UR IE DI NO RONO. 
Next, these letters are translated into their numerical equivalents (as in previous exam- 
ples) to obtain 
19 7 4 6 1411 38 181 2017 84 38 
13 14 1714 13 14. 


Each block of two plaintext numbers P, P, is converted into a block of two ciphertext 
numbers CC, by defining C; to be the least nonnegative residue modulo 26 of a linear 
combination of P; and P>, and defining C, to be the least nonnegative residue modulo 
26 of a different linear combination of P, and P,. For example, we can let 


C; =5P,+17P, (mod 26), 0<C, < 26 
C,=4P, + 15P, (mod 26), 0<C, < 26, 
in which case the first block 19 7 is converted to 6 25, because 
C,;=5-19+17-7=6 (mod 26) 
Cy, =4-19+ 15-7=25 (mod 26). 


After performing this operation on the entire message, the following ciphertext is ob- 
tained: 


625 182 2313 212 39 2523 414 212 172 1118 172. 


LESTER S. HILL (1891-1961) was bom in New York City. He graduated from Columbia 
College, and received his Ph.D. in mathematics from Yale University in 1926. He held 
positions at the University of Montana, Princeton University, the University of Maine, 
Yale University, and Hunter College. Hill was interested in applications of mathematics 


to communications. He developed methods for checking the accuracy of telegraphed code 
numbers and the encryption method known as the Hill cipher. Hill continued to submit 
cryptographic papers to the United States Navy mostly dealing with polygraphic ciphers 
for more than 30 years. 
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When these blocks are translated into letters, we have the ciphertext message 
GZ SC XN VC DJ ZX EO VC RC LS RC. 


The decryption procedure for this cryptosystem is obtained by using Theorem 4.15. To 
find the plaintext block P,P, corresponding to the ciphertext block C,C, we use the 
relationship 


P, = 17C, + 5C, (mod 26) 
Py = 18C, + 23C, (mod 26). 
(The reader should verify that this relationship is implied by Theorem 4.15.) < 


The digraphic cipher system in Example 8.9 is conveniently described using matri- 
ces. For this cryptosystem, we have 


) (; i) @ ) (mod 26). 
Cy 4 15)\P, 
17 


By Theorem 4.17, we see that the matrix ( eens ) is an inverse of ( ) modulo 


18 23 4 15 
26. Hence, Theorem 4.16 tells us that decryption can be done using the relationship 


Pi\\_ (17 5\(Q 
(M)=(s 3) & (mod 26). 


In general, a Hill cryptosystem may be obtained by splitting plaintext into blocks of n 
letters, translating the letters into their numerical equivalents, and forming ciphertext 
using the relationship 


C = AP (mod 26), 


C; P; 
where A is an n x n matrix, (det A, 26) = 1, C= Co and P= fp , and 
C, Ve 


C,C,...C,, is the ciphertext block that corresponds to the plaintext block P;P,... P,,. 
Finally, the ciphertext numbers are translated back to letters. For decryption, we use 
the matrix A, an inverse of A modulo 26, which may be obtained using Theorem 4.19. 
Because AA = I (mod 26), we have 


AC = A(AP) = (AA)P = P (mod 26). 
Hence, to obtain plaintext from ciphertext, we use the relationship 


P = AC (mod 26). 


Example 8.10. We illustrate this procedure using n = 3 and the encrypting matrix 


11 2 19 
A=[{ 5 23 25 
20 7 1 
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Because det A = 5 (mod 26), we have (det A, 26) = 1. To encrypt a plaintext block of 
length three, we use the relationship 


Ci Py 
C> =A P, (mod 26). 
C3 P3 


To encrypt the message STOP PAYMENT, we first split the message into blocks of three 
letters, adding a final dummy letter X to fill out the last block. We have plaintext blocks 


STO PPA YME NTX. 
We translate these letters into their numerical equivalents: 
181914 15150 24124 13 19 23. 


We obtain the first block of ciphertext in the following way: 


C; 11 2 19\/18 8 
C,|={ 5 23 25 |{ 19 | =] 19 | (mod 26). 
c 20 7 #1/\14 13 


Encrypting the entire plaintext message in the same manner, we obtain the ciphertext 
message 


81913 13415 0222 20110. 
Translating this message into letters, we have our ciphertext message 


ITN NEP ACW ULA. 


The decrypting process for this polygraphic cipher system takes a ciphertext block 
and obtains a plaintext block using the transformation 


Fy fC 
P, =A C, (mod 26), 
P3 C3 
where 
a 6 —-5 11 
A=j]-5 -1 -10 
—7 3 7 


is an inverse of A modulo 26, which may be obtained using Theorem 4.19. 


Because polygraphic ciphers operate with blocks, rather than with individual letters, 
they are not vulnerable to cryptanalysis based on letter frequency. However, polygraphic 
ciphers operating with blocks of size n are vulnerable to cryptanalysis based on frequen- 
cies of blocks of size n. For instance, with a digraphic cryptosystem, there are 26 = 676 
digraphs, blocks of length two. Studies have been done to compile the relative frequen- 
cies of digraphs in typical English text. By comparing the frequencies of digraphs in the 
ciphertext with the average frequencies of digraphs, it is often possible to successfully 
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attack digraphic ciphers. For example, according to some counts, the most common di- 
graph in English is TH, followed closely by HE. If a Hill digraphic cryptosystem has 
been employed and the most common digraph is KX, followed by VZ, we may guess 
that the ciphertext digraphs KX and VZ correspond to TH and HE, respectively. This 
would mean that the blocks 19 7 and 7 4 are sent to 10 23 and 21 25, respectively. If A 
is the encrypting matrix, this implies that 


19 7\ _/10 21 
a( 7 "(2s 35 ) (ood 26), 


Because oo is an inverse of ames 
19 19 7 4 


_(10 21\( 4 19\_ (23 17 
a=(2 ae) as le 3 ) (aod 26), 


which gives a possible key. After attempting to decrypt the ciphertext using A = 


) (mod 26), we find that 


( : Fe ) to transform it, we would know whether our guess was correct. < 


In general, if we know n correspondences between plaintext blocks of size n 
and ciphertext blocks of size n—for instance, if we know that the ciphertext blocks 


Cy jC; Ae. Crj> j=1,2,...,n, correspond to the plaintext blocks Pi; Po}... Prijs <— 
1,2,...,, respectively—then we have 
Pi; Ci; 
Al : = (mod 26), 
Pay Crj 


for 91/2, 2.55.0. 
These n congruences can be succinctly expressed using the matrix congruence 
AP = C (mod 26), 


where P and C are n x n matrices with ijth entries P;; and C;;, respectively. If (det P, 
26) = 1, then we can find the encrypting matrix A via 


A = CP (mod 26), 
where P is an inverse of P modulo 26. 


Cryptanalysis using frequencies of polygraphs is only worthwhile for small values 
of n, where n is the size of the polygraphs. When n = 10, for example, there are 26!°, 
which is approximately 1.4 x 10!*, polygraphs of this length. Any analysis of the relative 
frequencies of these polygraphs is extremely infeasible. 


The Data Encryption Standard and Related Ciphers 


The most important cipher that has been used for commercial and government appli- 
OC) cations during the past 20 years is the Data Encryption Algorithm (DEA), which was 
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standardized in 1977 by the federal government as part of the Data Encryption Standard 
(DES) (Federal Information Processing Standard 46-1). It was developed by IBM and 
was known as Lucifer before it became a standard. The DEA is a block cipher that en- 
crypts 64-bit blocks using a 64-bit key (where the last 8 bits of the key are parity check 
bits stripped off before use) transforming them into 64-bit ciphertext blocks. 


The encryption procedure used by the DEA is extremely complicated and will not 
be described in detail here. Basically, a plaintext block of 64 bits is encrypted by first 
permuting the 64 bits, iterating a function that operates on the left and right halves of a 
string of 64 bits in a particular way 16 times, and then applying the inverse of the initial 
permutation. Details of this cipher can be found in [St05] and [MevaVa97]. These details 
are easily understandable by anyone of the mathematical maturity of students using this 
text; they are quite lengthy, however. 


The DEA is a symmetric cipher. Both the sender and the receiver of a message must 
know the same secret key, which is used for both encryption and decryption. Distributing 
secure keys for use by the DEA is a difficult problem, which can be addressed using 
public key cryptography (discussed in Section 8.4). 


Although the DEA has not been broken, in the sense that no easy attack on it has 
been found, it is vulnerable to brute-force analysis. An exhaustive search can now check 
all 2°° possible keys in less than a day. Because of the vulnerability of this algorithm to 
such attacks, the National Institute of Standards and Technology (NIST) decided not to 
certify DES for use after 1998. 


In November 2000, NIST selected a new algorithm called the Advanced Encryption 
Standard (AES) as the official encryption standard for the U.S. government. This en- 
cryption algorithm was developed by two Belgian scientists, Joan Daemen and Vincent 
Rijmen, and is called Rijndael after its creators. The adoption of Rijndael as the Advanced 
Encryption Standard followed three years of competition among many encryption algo- 
rithms submitted as candidates for the standard. The AES algorithm is capable of using 
128-, 192-, and 256-bit symmetric keys to encrypt and decrypt 128-bit blocks. The com- 
plexity of the AES and the size of the keys that it supports should make it resistant to 
brute-force attacks for many years. The U.S. government hopes that AES will remain 
secure for at least 20 years. 


Stream Ciphers 


The methods discussed so far have the property that the same key is used to determine the 
particular encryption transformation that is applied to each character (or block). Once 
a plaintext-ciphertext pair is known, the key can be found. To add additional security, 
we can change the key used to encrypt successive characters. To discuss this type of 
encryption, we must first define some terms. 


A sequence kj, ko, k3, . . . of elements from a keyspace X is called a keystream. The 
encryption function corresponding to the key k; is denoted by E;,. A stream cipher is a 
cipher that sends a plaintext swing p,p2p3..., using a keystream k;, kj, k3,..., toa 
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ciphertext string cycoc,..., where c; = E;, (p;). The corresponding decryption function 
is Dg(c;) = p;, where d, is a decryption key corresponding to the encryption key k;. 


We can generate the keystream for a stream cipher in different ways. For example, 
we can select the keys at random to construct a keystream, or we can use a keystream 
generator, a function that generates successive keys using an initial sequence of keys (the 
seed), pethaps also using previous plaintext symbols. 


The simplest (nontrivial) stream cipher is the Vernam Cipher, proposed by Gilbert 
C) Vernam in 1917 for the automatic encryption and decryption of telegraph messages. In 
this stream cipher, the keystream is a bit string k,k ...k,, of the same length as the 
plaintext message, whichis a bit string pp ... p,,. Plaintext bits are encrypted using 

the map 


E;, (pi) =k; + p; (mod 2). 


Exactly two different encryption maps are used in a Vernam cipher. When k; = 0, E,, is 
the identity map that sends 0 to 0 and 1 to 1. When k; = 1, E,, is the map that sends 0 to 
1 and 1 to 0. The corresponding decryption transformation D,, is identical to E,.. 


Example 8.11. When we encrypt the plaintext bit string 0 1111 0111 using a Vernam 
cipher with keystream 1 1000 1111, we obtain the bit string 1 0111 1000, where each bit 
is obtained by adding corresponding bits of the plaintext and the keystream. Decrypting 
this just requires that we repeat the operation. < 


Keystreams in the Vernam cipher should be used only once (see Exercise 38). When 
the keystream of a Vernam cipher is chosen at random and is used to encrypt exactly 
one plaintext message, it is called a one-time pad. It can be shown that a one-time pad is 
unbreakable, in the sense that someone with a ciphertext string encrypted using a random 
keystream used only once can do no better than to simply guess at the plaintext string. 
The problem with the Vernam cipher is that the keystream must be at least as long as 
the plaintext message, and must be transmitted securely between two parties who want 
to use a one-time pad. Consequently, the one-time pad is not used except for extremely 
sensitive communications, mostly of a diplomatic or military nature. 


GILBERT S. VERNAM (1890-1960) was born in Brooklyn, New York. After 
graduating from Worcester Polytechnic Institute, he took a job at AT&T. He 
was able to visualize electrical circuits without actually implementing them. 
He was noted for bis cleverness; one story quotes him as asking “What can 
I invent now?” each evening while stretched out on his couch. At AT&T, he 
developed a method to make transmission via the teletypewniter, the first system 
that automated cryptology, secure. At AT&T, he also developed a technique 
for encrypted digital images. Vernam also held positions with the International 
Communications Laboratories and the Postal Telegraph Cable Company. He was granted 65 patents 
for bis inventions in cryptography and in telegraph switching systems. 
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We will describe another stream cipher, the autokey cipher invented by Vigenére 
in the sixteenth century. The autokey cipher uses an initial seed key, which is a single 
character; subsequent keys are plaintext characters. In particular, the autokey cipher 
shifts each plaintext character, other than the first character, the numerical equivalent 
of the previous character modulo 26; it shifts the first character the numerical equivalent 
of the seed character modulo 26. That is, the autokey cipher encrypts a character p; 
according to the transformation 


Cc; = p; +k; (mod 26), 


where p; is the numerical equivalent of the ith plaintext character, c; is the numerical 
equivalent of the ith ciphertext character, and k;, the numerical equivalent of the ith 
character of the keystream, is given by k; = s, where s is the numerical equivalent of the 
seed character and k; = p;_, fori > 2. 


To decrypt a message encrypted with the autokey cipher, we need to know the seed. 
We subtract the seed from the first ciphertext character modulo 26 to determine the 
first plaintext character, and then we subtract the numerical equivalent of each plaintext 
character modulo 26 from the next ciphertext character to obtain the next plaintext 
character. 


We illustrate how to encrypt and decrypt using the autokey cipher in the following 
examples. 


Example 8.12. To encrypt the plaintext message HERMIT using the autokey cipher 
with seed X (with numerical equivalent 23), we first translate the letters of HERMIT 
into their numerical equivalents to obtain 7 4 17 12 8 19. The keystream consists of the 
numbers 23 7 4 17 12 8. The numerical equivalents of the characters in the ciphertext 
message are 

Pi tk, =7+ 23 =4 (mod 26) 

Po +ky =4+7= 11 (mod 26) 

p3+k3= 174+ 4=21 (mod 26) 

Pa tky = 12+ 17=3 (mod 26) 

Ps +ks =8 + 12 = 20 (mod 26) 

Po + kg = 19 + 8 = 1 (mod 26). 
Translating back to letters, we see that the ciphertext is ELVDUB. < 
Example 8.13. To decrypt the ciphertext message RMNTU encrypted using the au- 
tokey cipher with seed F, we first translate the characters of the ciphertext into their 


numerical equivalents to obtain 17 12 13 19 20. We obtain the numerical equivalent of 
the first plaintext character by computing 


pi =c, —s =17—5= 12 (mod 26). 


We obtain the numerical equivalent of successive plaintext characters as follows: 


8.2 
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Pz = €2 — py = 12 — 12 =0 (mod 26) 
P3 = €3 — Po = 13 —0 = 13 (mod 26) 
P4 =C4 — p3 = 19 — 13 = 6 (mod 26) 
P5=Cs5 — p4 = 20 — 6= 14 (mod 26). 


Translating these numerical equivalents back to letters, we find that the plaintext message 
was MANGO. < 


We have only briefly touched the surface of the deep subject of stream ciphers. For 
more information about them, including descriptions of stream ciphers used in practice, 
consult [MevaVa97]. 


EXERCISES 


. Use the Vigenére cipher with encrypting key SECRET to encrypt the message 


DO NOT OPEN THIS ENVELOPE. 


. Decrypt the following message, which was enciphered using the Vigenére cipher with en- 


crypting key SECRET: 


WBRCS LAZGJ MGKMF V. 


. Use the Vigenére cipher with encrypting key TWAIN to encrypt the message 


AN ENGLISHMAN IS A PERSON WHO DOES THINGS BECAUSE THEY HAVE BEEN 
DONE BEFORE. AN AMERICAN IS A PERSON WHO DOES THINGS BECAUSE THEY 
HAVE NOT BEEN DONE BEFORE. 


. Decrypt the following message, which was enciphered using the Vigenére cipher with en- 


crypting key TWAIN. 

PACWH EZUAR NLTEB XPEZA BPIMF 
BJLMN KJ IVT THLBU TPIAG HXETR 
TNNMQ TXOCG HQRWJ GSOZY WWNLG 
AATPB NOAVQ LKFVN MEOVF MDABU 
TREIE BOEVN GZFTB NNIAU XZAVQ 
OWNQF AADNE HIIBZ TPHMZ TPIKF 
THOVR PKUTQ HYCCC RIEMV ZDTUV 
EHIWA RAAZF 


. Suppose a plaintext message is encrypted using a Vigenére cipher. Show that identical strings 


of characters separated by a multiple of the key length are encrypted to the same string of 
ciphertext characters. 


In Exercises 6-11, use the procedure described in the text to cryptanalyze the given ciphertext, 
which was encrypted using a Vigenére cipher. 
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UC Ye 


GQICK 
BNKWE 
BFOPK 


- KMKRE 


QSLEH 
XMVOF 
CPWQW 
RWBXZ 
SREDK 
FIJQG 


~ STIWZ 


RLACT 
PQPEL 
GWPBW 
SUDIJ 

PPXSQ 


- JWEFF 


VDBTP 
VLXIJ 
HOIEG 
UQEJV 
VTHUP 
EBFXR 


PDIVJ 
AIZPZ 
YX SMW 
IJWZE 
LAHIY 
PDSFS 
YLPMS 
WZNFV 
LLIWE 
KQMXJ 


CYFHE 
BSHFT 
GSOUV 
HOBUB 


ISNEJ 
SRIQM 
WEIJCT 
ELAEF 
OYCML 
CAZGG 
VFDVG 


HUDEU 
MHMP J 
AXIAG 
TFWVFEF 
FPAFG 


GDSZF 
UGWID 
HQEDW 
BYDUQ 
SBUPR 
RVTUK 
DWLOE 


ZQLGR 
QLGGI 
DBWIE 
TIRRB 
AICQR 
YHQQP 
PRTYC 
QxGZC 
TCLVI 


EFERF 
SWKUV 
UPBBA 
OUIKF 


ALKZS 
RECCW 
YKJMX 
WIJISP 
RMKY J 
EKRSL 


JKRNK 
WVEOG 
XFSSS 
BJOTP 
WXJIOR 


IBLSP 
BNKJT 
VIBZU 
UFLZV 
VUIJIWB 
MEEZI 
FUO 


ZOWID 
NZPIM 
GIQww 
KPDJV 
YOUEE 
OJXEW 
YXSQx 
KZVQC 
ZNYLP 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 
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TUZTU WFGCG LHGTF GMKGR FIASR 
KWKRR DAAGU WDGTQ GEYNB LISPY 
QTNAG SLRWU GAXEY SUMHR VAZAE 
WGKNV MSKSG ZEELN MGNEQ STIOY 
MMHU F LHKYY SUMHR VAZFH DTUNG 
ZEELN MGNEQ STZHR OROGU LBXOG 
ZEXSO MTZHR QARSB DAAGU WDGTO 
GZUTU WCROJ F 


Show how we find that the correct key in Example 8.8 is USA once we know the key has 
length three. 


Using the digraphic cipher that sends the plaintext block P,P, to the ciphertext block C,C>, 
with 

C, = 3P, + 10P, (mod 26) 

C, = 9P; + 7P, (mod 26), 
encrypt the message BEWARE OF THE MESSENGER. 
Using the digraphic cipher that sends the plaintext block P,P, to the ciphertext block C,C>, 
with 

C; = 8P, + 9P> (mod 26) 

Cy = 3P; + 11P> (mod 26), 
encrypt the message DO NOT SHOOT THE MESSENGER. 


Decrypt the ciphertext message RD SR QO VU QB CZ AN QW RD DS AK OB, which was 
encrypted using the digraphic cipher that sends the plaintext block P,P, into the ciphertext 
block C,C2, with 

C, = 13P, + 4P, (mod 26) 

Cy = OP, + P» (mod 26). 


Decrypt the ciphertext message UW DM NK QB EK, which was encrypted using the 
digraphic cipher that sends the plaintext block P,P, into the ciphertext block C,C,, with 


C; — 23P, + 3P (mod 26) 


A cryptanalyst has determined that the two most common digraphs in a ciphertext message are 
RH and NI, and guesses that these ciphertext digraphs correspond to the two most common 
diagraphs in English text, TH and HE. If the plaintext was encrypted using a Hill digraphic 
cipher described by 

C, =aP, + bP» (mod 26) 

C, = cP, + dP» (mod 26), 
what are a, b, c, andd? 


How many pairs of letters remain unchanged when encryption is performed using each of the 
following digraphic ciphers? 
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a) C,=4P, + 5P> (mod 26) c) C,=3P, + 5P, (mod 26) 
C> = 3P, + P» (mod 26) C> = 6P, + 3P> (mod 26) 


b) C,=7P,+17P, (mod 26) 
Cy = P, + 6Py (mod 26) 


19. Show that if the encrypting matrix A in the Hill cipher system is involutory modulo 26, that 
is, A7 =I (mod 26), then A also serves as a decrypting matrix for this cipher system. 


20. A cryptanalyst has determined that the three most common trigraphs (blocks of length 
three) in a ciphertext are LME, WRI, and ZYC, and guesses that these ciphertext trigraphs 
correspond to the three most common trigraphs in English text, THE, AND, and THA. If the 
plaintext was encrypted using a Hill trigraphic cipher described by C = AP (mod 26), what 
are the entries of the 3 x 3 encrypting matrix A? 


21. Find the product cipher obtained by using the digraphic Hill cipher with encrypting matrix 


( ; Ee ) followed by using on the result the digraphic Hill cipher with encrypting matrix 


5 1 
25 4) 


22. Show that the product cipher obtained from two digraphic Hill ciphers is again a digraphic 
Hill cipher. 


23. Show that the product cipher obtained by encrypting first using a Hill cipher with blocks of 
size m and then using a Hill cipher with blocks of size n is again a Hill cipher that uses blocks 
of size [m, n]. 


24. Find the 6 x 6 encrypting matrix corresponding to the product cipher obtained by first using 
the Hill cipher with encrypting matrix € 7 followed by using the Hill cipher with 


1 1 0 
encrypting matrix ( 10 1 } 
011 


25. In transposition cipher, blocks of a specified size are encrypted by permuting their characters 
in a specified manner. For instance, plaintext blocks of length five, P; P, P3P,P5, may be sent 
to ciphertext blocks C,C,C3C4C5 = P,P; P>P,P3. Show that every such transposition cipher 
is a Hill cipher with an encrypting matrix that contains only Os and 1s as entries, with the 
property that each row and each column contains exactly one 1. 


Hill ciphers are special cases of block ciphers based on affine transformations. To form such a 
transformation, let A be an x n matrix with integer entries and (det A, 26) = 1, and let B be 
an n x 1 matrix with integer entries. To encrypt a message, we split it into blocks of length n 
and put the numerical equivalents of the letters in each block into an n x 1 matrix P (padding 
the last block with dummy letters, if necessary). We find the corresponding ciphertext block by 
computing C = (AP + B) (mod 26) and translating the entries in C back into letters. 


26. Using the affine transformation C = é a P+ ( 3 (mod 26) on blocks of two 
successive letters, encrypt the message HAVE A NICE DAY. 


27. What is the decrypting transformation associated with the affine transformation in Exercise 
26? 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


35. 


36. 
37. 


38. 


39. 


8.2 Block and Stream Ciphers 317 


What is the decrypting transformation associated with the encrypting transformation C = 
(AP + B) (mod 26), where A is ann x n matrix with integer entries and (det A, 26) = 1, and 
B is ann x 1 matrix with integer entries? 


Decipher the message HG PM QR YN NM that was encrypted using the affine transformation 


c=(43 a P+ (3) (mod 26). 


Explain how you would go about decrypting a message that was encrypted in blocks of length 
two using an affine transformation C = AP + B (mod 26), where A is a 2 x 2 matrix with 
integer entries and (det A, 26) = 1, and B is a2 x 1 matrix with integer entries. 


Explain how you would go about decrypting a message that was encrypted in blocks of length 
three using an affine transformation C = AP + B (mod 26), where A is a3 x 3 matrix with 
integer entries and (det A, 26) = 1, and B is a3 x 1 matrix, with integer entries. 


Is the productcipher composed of two digraphic block ciphers based on affine transformations 
also a digraphic block cipher based on an affine transformation? 


Is the product cipher composed of two block ciphers based on affine transformations, en- 
crypting blocks of length m and blocks of length n, respectively, also a block cipher based 
on an affine transformation? 


Encrypt the bit string 11 1010 0011 using the Vernam cipher with keystream 10 0111 1001. 


Decrypt the bit string 11 1010 0011, assuming that it was encrypted using the Vernam cipher 
with keystream 10 0111 1001. 


Encrypt the plaintext message MIDDLETOWN using the autokey cipher with seed Z. 


Decrypt the ciphertext message ZVRQH DUJIM, assuming that it was encrypted using the 
autokey cipher with seed I. 


Show that the Vernam cipher is vulnerable to a known-plaintext attack if a keystream is used 
repeatedly. In particular, show that if someone can encrypt a bit string and have access to the 
resulting ciphertext string, the keystring can be found. 


Show that if a keystream is used to encrypt two different messages using a Vernam cipher, 
then the bit string obtained by adding corresponding bits of the two messages modulo 2 could 
be found by someone with the corresponding ciphertext messages. Why might this permit 
cryptanalysis? 


Computations and Explorations 


An b&w N = 


. Encrypt some messages using Vigenére ciphers for your classmates to decrypt. 
. Decrypt messages encrypted by your classmates using Vigenére ciphers. 


. Run the Kasiski test on some ciphertexts encrypted using Vigenére ciphers. 


Find the index of coincidence for some character strings. 


. Cryptanalyze some ciphertexts encrypted using Vigenére ciphers. 


. Find the frequencies of digraphs in various types of English texts, such as this text, computer 


programs, and a novel. 


. Find the frequencies of trigraphs in various types of English texts, such as this text, computer 


programs, and a novel. 


. Encrypt some messages using Hill ciphers for your classmates to decrypt. 
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. Decrypt messages encrypted by your classmates using Hill ciphers. 


. Encrypt and decrypt some long messages using a Vigenére cipher one-time pad, sending these 


messages to a particular classmate. 


. Encrypt some messages using an autokey cipher for your classmates to decrypt. 


. Decrypt some messages that were encrypted using an autokey cipher by your classmates. 


Programming Projects 


. Given a plaintext message, encrypt it using a Vigenére cipher. 
. Given a plaintext message that has been encrypted using Vigenére ciphers, decrypt it. 
. Given ciphertext encrypted using a Vigenére cipher, run the Kasiski test to determine the key 


length of the cipher. 


4. Given a string of English characters, find the index of coincidence of this string. 


xe 5 


8.3 


. Given ciphertext produced using a Vigenére cipher, use the Kasiski test together with the 


Friedman test, which uses the index of coincidence, to find possible key lengths. For each 
possible key length, use frequency analysis to find each character of the key. Try to to recover 
the original plaintext for each possible key you found. Figure out whether you found the 
correct key by checking to see whether decryption via a possible key produces words in 
English. 


. Given a plaintext message, encrypt it using a Hill cipher. 
. Given a ciphertext message that was produced using a Hill cipher, decrypt it. 
. Cryptanalyze messages that were encrypted using a digraphic Hill cipher, by analyzing the 


frequency of digraphs in the ciphertext. 


. Given a plaintext message, encrypt it using a cipher based on an affine transformation of 


blocks. (See the preamble to Exercise 26.) 


. Given a message that was encrypted using an affine transformation of blocks, decrypt it. 


. By analyzing the frequency of digraphs in ciphertext, cryptanalyze messages encrypted using 


a digraphic block cipher based on an affine transformation. 


. Given a message, encrypt it using the autokey cipher. 


. Given a message that was encrypted using the autokey cipher, decrypt it. 


Exponentiation Ciphers 


In this section, we discuss a cipher based on modular exponentiation, which was invented 
in 1978 by Pohlig and Hellman [PoHe78]. We will see that ciphers produced by this 
system are resistant to cryptanalysis. (This cipher is of more theoretical than practical 
significance.) 


Let p be an odd prime and let e, the enciphering key, be a positive integer with 
(e, p — 1) = 1. To encrypt a message, we first translate the letters of the message into 
numerical equivalents (retaining initial zeros in the two-digit numerical equivalents of 
letters). We use the same relationship we have used before, as shown in Table 8.9 
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Letter A|B|C D/E|/F/G/H|I\/J|K/ LIM N'O/;P\Q\R|S|T/ULViw x|Y|Z 


Numerical 
Equivalent 


00 01|02 03/04/05 06/07 08)09| 10) 11/12/13) 14/15) 16)17| 18) 1920/21 /22)23|24|25 


Table 8.9 Two-digit numerical equivalents of letters. 


Next, we group the resulting numbers into blocks of 2m decimal digits, where 
2m is the largest positive even integer such that all blocks of numerical equivalents 
corresponding to m letters (viewed as a single integer with 2m decimal digits) are less 
than p, e.g., if 2525 < p < 252,525, then m = 2. 


For each plaintext block P , which is an integer with 2m decimal digits, we form a 
ciphertext block C using the relationship 


C=P*(modp), O<C<p. 


The ciphertext message consists of these ciphertext blocks, which are integers less than 
p. Notice that different values of e determine different ciphers, hence e is aptly called 
the enciphering key. We illustrate the encryption technique with the following example. 


Example 8.14. Let the prime to be used as the modulus in the encryption procedure 
be p = 2633, and let the encryption key to be used as the exponent in the modular 
exponentiation be e = 29, so that (e, p — 1) = (29, 2632) = 1. To encrypt the plaintext 
message 


THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER, 


we first convert the letters of the message into their numerical equivalents, and then form 
blocks of length four from these digits, to obtain 


1907 0818 0818 0013 0423 
0012 1511 0414 0500 1304 
2315 1413 0413 1908 0019 
0814 1302 0815 0704 1723. 


Note that we have added the two digits 23, corresponding to the letter X, at the end 
of the message to fill out the final block of four digits. 


We next translate each plaintext block P into a ciphertext block C using the rela- 
tionship 


C = P” (mod 2633), 0<C < 2633. 
For instance, to encrypt the first plaintext block, we compute 
C = 19077? = 2199 (mod 2633). 


To efficiently carry out the modular exponentiation, we use the algorithm given in Section 
4.1. When we encrypt the blocks, we obtain the ciphertext: 
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2199 1745 1745 1206 2437 
2425 1729 1619 0935 0960 
1072 1541 1701 1553 0735 
2064 1351 1704 1841 1459. “ 


To decrypt a ciphertext block C, we need to know a decryption key, namely, an 
integer d such that de = 1 (mod p — 1), so that d is an inverse of e (mod p — 1), which 
exists because (e, p — 1) = 1. If we raise the ciphertext block C to the dth power modulo 
P, we recover your plaintext block P. To see this, we first consider the case when p / P; 
then, we will dispose the case where p | P. When p J P, we have 


C4 = (P°)4 = Po = pKP- +1 = (pP—!)P = P (mod p), 


where de = k(p — 1) + 1, for some integer k, because de = 1 (mod p — 1). (Note that 
we have used Fermat’s little theorem to see that P?~! = 1 (mod p).) When p | P, then 
P =0,as0 < P < p, sothat C = 0 also because C = P* = 0° = 0 (mod p),0<C < p. 
Hence, C4 = 04 = 0 (mod p), which means that C¢ = P (mod p) in this case too. 


Example 8.15. To decrypt the ciphertext blocks generated using the prime modulus 
p = 2633 and the encryption key e = 29, we need an inverse of e modulo p — 1 = 2632. 
An easy computation, as done in Section 4.2, shows that d = 2269 is such an inverse. 
To decrypt the ciphertext block C to define the corresponding plaintext block P, we use 
the relationship 


P =C”® (mod 2633). 
For instance, to decrypt the ciphertext block 2199, we have 
P =2199* = 1907 (mod 2633). 


Again, the modular exponentiation is carried out using the algorithm given in Section 4.1. 
< 


For each plaintext block P that we encrypt by computing P* (mod p), we use only 
O((log, p)*) bit operations, as Theorem 4.9 demonstrates. Before we decrypt, we need 
to find an inverse d of e modulo p — 1. This can be done using O(log? p) bit operations 
(see Exercise 15 of Section 4.2), and this must be done only once. Then to recover the 
plaintext block P froma ciphertext block C, we simply need to compute the least positive 
residue of C4 modulo p; we can do this using O ((log, p)>) bit operations. Consequently, 
the process of encryption and decryption using modular exponentiation can be carried 
out rapidly. 


On the other hand, cyptanalysis of messages encrypted using modular exponenti- 
ation generally cannot be accomplished rapidly. To see this, suppose that we know the 
prime p used as the modulus and, moreover, suppose that we know the plaintext block 
P corresponding to a ciphertext block C, so that 


(8.2) C = P* (mod p). 


3.3 


8.4 
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For successful cryptanalysis, we need to find the enciphering key e. This is the discrete 
logarithm problem, a computationally difficult problem that will be discussed in Chapter 
9. Note that when p has more than 200 decimal digits, it is not feasible to solve this 
problem using a computer. 


EXERCISES 


. Using the prime p = 101 and encryption key e = 3, encrypt the message GOOD MORNING 


using modular exponentiation. 


. Using the prime p = 2621 and encryption key e = 7, encrypt the message SWEET DREAMS 


using modular exponentiation. 


. What is the plaintext message that corresponds to the ciphertext 01 09 00 12 12 09 24 10 that 


is produced using modular exponentiation with modulus p = 29 and encryption exponent 
e=5) 


. What is the plaintext message that corresponds to the ciphertext 1213 0902 0539 1208 


1234 1103 1374 that is produced using modular exponentiation with modulus p = 2591 and 
encryption key e = 13? 


. Show that the encryption and decryption procedures are identical when encryption is done 


using modular exponentiation with modulus p = 31 and enciphering key e = 11. 


. With modulus p = 29 and unknown encryption key e, modular exponentiation produces the 


ciphertext 04 19 19 11 04 24 09 15 15. Cryptanalyze the above cipher, if it is also known that 
the ciphertext block 24 corresponds to the plaintext letter U (with numerical equivalent 20). 
(Hint: First find the logarithm of 24 to the base 20 modulo 29, using some guesswork.) 


Computations and Explorations 


1. 
2. 


Encrypt some messages for your classmates to decrypt using exponentiation ciphers. 


Decrypt messages encrypted by your classmates using exponentiation ciphers, given the 
encryption key and prime modulus. 


Programming Projects 


1. 


2. 


Given a message, encryption key, and prime modulus, encrypt it using a exponentiation 
cipher. 


Given a message encrypted using an exponentiation cipher and the encrypting key and prime 
modulus, decrypt it. 


Public Key Cryptography 


The cryptosystems we have discussed so far are all examples of private key, or symmetric, 
cryptosystems, where the encryption and decryption keys are either the same or can be 
easily found from each other. For example, in a shift cipher, the encrypting key is an 
integer k and the corresponding decrypting key is the integer —k. In an affine cipher, the 
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encrypting key is a pair (a, b) and the corresponding decrypting key is the pair (@, —ab), 
where @ is an inverse of a modulo 26. In a Hill cipher, the encrypting key is ann x n 
matrix A and the corresponding decrypting key is the n x n matrix A, where A is an 
inverse of the matrix A modulo 26. In the Pohlig-Hellman exponentiation cipher, the 
encrypting key is (e, p), where p is a prime, and the corresponding decrypting key 
is (d, p), where d is an inverse of e modulo p — 1. For the DEA, the encrypting and 
decrypting keys are exactly the same. 


For that reason, if one of the cryptosystems discussed so far is used to establish se- 
cure communications within a network, then each pair of communicants must employ an 
encryption key that is kept secret from the other individuals in the network, because once 
the encryption key in such a cryptosystem is known, the decryption key can be found us- 
ing a small amount of computer time. Consequently, to maintain secrecy, the encryption 
keys must themselves be transmitted over a channel of secure communications. 


To avoid assigning a key to each pair of individuals, which must be kept secret from 
the rest of the network, a new type of cryptosystem, called a public key cryptosystem, was 
invented in the 1970s. In this type of cryptosystem, encrypting keys can be made public, 
because an unrealistically large amount of computer time is required to find a decrypting 
transformation from an encrypting transformation. To use a public key cryptosystem to 
establish secret communications in a network of n individuals, each individual produces 
a key of the type specified by the cryptosystem, retaining certain private information that 
went into the construction of the encrypting transformation E(k), obtained from the key 
kK according to a specified rule. Then a directory of the n keys kj, kz, . . . , Kk, is published. 
When individual i wishes to send a message to individual j, the letters of the message 
are translated into their numerical equivalents and combined into blocks of specified 
size. Then, for each plaintext block P a corresponding ciphertext block C = E K(P) is 
computed using the encrypting transformation Ex, . To decrypt the message, individual 
j applies the decrypting transformation Dy, to each ciphertext block C to find P; that is, 


Dy (C) = Dy (Ex ,(P)) = P. 


Because the decrypting transformation D,, cannot be found in a realistic amount of time 
by anyone other than individual j, no unauthorized individuals can decrypt the message, 
even though they know the key k ;. Furthermore, cryptanalysis of the ciphertext message, 
even with knowledge of k;, is extremely infeasible due to the large amount of computer 
time needed. 


Many cryptosystems have been proposed as public key cryptosystems. All but a 
few have been shown to be unsuitable, by demonstrating that ciphertext messages can 
be decrypted using a feasible amount of computer time. In this section, we will introduce 
the most widely used public key cryptosystem, the RSA cryptosystem. In addition, we 
will introduce several other public key cryptosystems, including the Rabin public key 
cryptosystem, which we will discuss at the end of this section, and the ElGamal public 
key cryptosystem, which we will discuss in Chapter 10. The security of these systems 
rests on the difficulty of two computationally intensive mathematical problems, factoring 
integers (discussed in Chapter 3) and finding discrete logarithms (to be discussed in 
Chapter 9). In Section 8.5, we will describe a proposed public key cryptosystem, the 
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knapsack cryptosystem, that tamed out not to be suitable as a basis for a public key 
cryptosystem. (See [MevaVa97] for a comprehensive look at most of the important public 
key cryptosystems.) 


Although public key cryptosystems have many advantages, they are not extensively 
used for general-purpose encryption. The reason is that encrypting and decrypting in 
these cryptosystems require too much time and memory on most computers, generally 
several orders of magnitude more than required for symmetric cryptosystems currently 
in use. However, public key cryptosystems are used extensively to encrypt keys for 
symmetric cryptosystems such as DES, so that these keys can be transmitted securely. 
They are also used in a wide variety of cryptographic protocols, such as in digital 
signatures (discussed in Section 8.6). They are also particularly useful for applications 
involving smart cards and electronic commerce. 


Also note that in modern cryptography, the cryptosystem used to encrypt messages is 
publicly known. Consequently, the secrecy of encrypted messages does not depend on the 
secrecy of the encryption algorithm in use. For symmetric key cryptosystems, the secrecy 
of messages depends on the secrecy of the encryption key in use and the computational 
difficulty of finding this key from other information (such as plaintext--ciphertext pairs). 
For public key cryptosystems, secrecy rests on the secrecy of the decryption key and 
the computational difficulty of finding this key from the encryption key and other public 
information (such as plaintext-ciphertext pairs). 


The RSA Cryptosystem 


The most commonly used public key cryptosystem is the RSA cryptosystem, named after 
Ronald Rivest, Adi Shamir, and Leonard Adleman [RiShAd78], who described it in 1977 
(and patented it [RiShAd83] in 1983). However, this cryptosytem was actually invented 
several years earlier in 1973 by the British mathematician Clifford Cocks in secret work 
at the Communications Headquarters of British intelligence. Cocks’s invention was only 
declassified and made public in 1997. 


The RSA cryptosystem is a public key cryptosystem based on modular exponentia- 
tion, where the keys are pairs (e, n) consisting of an exponent e and a modulus n that is 
the product of two large primes; that is, n = pq, where p and q are large primes, so that 
(e, P(n)) = 1. To encrypt a message, we first translate the letters into their numerical 
equivalents and then form blocks of the largest possible size (with an even number of 
digits). To encrypt a plaintext block P, we apply the encryption transformation E(P) to 
obtain the ciphertext block C with 


E(P)=C=P*(modn), O<C <n. 
The decrypting procedure requires knowledge of an inverse d of e modulo ¢(n), 


which exists because (e, @(n)) = 1. To decrypt the ciphertext block C, we find use the 
decryption transformation C with 


D(C)=P*% (modn), O< D(C) <n. 
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To see that D(C) = (P*)¢ = P (mod n) for all possible plaintext messages P, note that 
D(C) = C4 = (P*%)? = Pe = pio@)t! = pot prod n) 


where ed = kd(n) + 1 forsome integer k, because ed = 1(mod @(n)). When (P, n) = 1, 
by Euler’s theorem we know that P®“) = 1 (mod n). Consequently, 


pe p = (pe) p = P(modn). 
Hence, 
D(C) = P (mod nr). 


Next, we consider the rare case (see Exercise 4) when (P, 7) > 1. To show that the 
decryption transformnation recovers the plaintext message, we need to first look at congru- 
ences modulo p and modulo gq separately and then apply the Chinese remainder theorem. 
(Our reasoning here also applies when (P, n) = 1, although it is more complicated 


cryptosystem proposed as a public cryptosystem by Merkle and Hellman, developing numerous cryp- 
tographic protocols, and creative cryptanalysis of DES. 
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professor of computer science at M.L.T., and a cofounder of RSA Data Security, 
Inc. (now a subsidiary of Security Dynamics), the company that holds the patents 
on the RSA cryptosystem. Rivest has worked in the areas of machine learning, 
computer algorithms, and VLSI design. He is one of the authors of a popular 
textbook on algorithms ([CoLeRiStl 0). 
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ceceived his B.S. in mathematics and his Ph.D. in computer science from the 
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appointed to a position in the computer science department of the University 
of Southern California, and to a chaired professorship in 1985. Adleman has 
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than our earlier reasoning.) So, suppose that P # 0 (mod p). Then, we have D(C) = 
po(ndk p — p(P—l)q—-Nk p = (pP-!)a-Dk p = P (mod p), where we haveusedthe con- 
gruence P?-!=1(mod p), which follows by Fermat’s little theorem. Furthermore, if 
P =0 (mod p), then C = P* = 0 (mod p), so that D(C) = P (mod p) in this case as 
well. Similar reasoning holds for the prime qg, so that D(C) = P (mod q). Applying the 
Chinese remainder theorem, it follows that the separate congruences modulo p and mod- 
ulo g imply that D(C) = P (mod n) for all P, including those P for which (P, n) > 1. 


We have shown that for the RSA cryptosystem, the pair (d, n) is the decrypting key 
corresponding to the encrypting key (e, n), where d is an inverse of e modulo n. 


Note that a cryptanalyst who knows that a message P is not relatively prime to n can 
factor m and break the particular RSA code being used (Exercise 4). There is an extremely 
low probability that an arbitrary message P is not relatively prime to m (Exercise 3). 


Example 8.16. To illustrate how the RSA cryptosystem works, suppose that the en- 
crypting modulus is the product of the two primes 43 and 59 (which are smaller than the 
large primes that would actually be used); thus, we have n = 43 - 59 = 2537 as the mod- 
ulus. We take e = 13 as the exponent; note that we have (e, @(n)) = (13, 42 - 58) = 1. 
To encrypt the message 


PUBLIC KEY CRYPTOGRAPHY, 


we first translate the letters into their numerical equivalents, and then group these 
numbers together into blocks of four. We obtain 


CLIFFORD COCKS (b. 1950) was born at Prestbury in Cheshire, England. He 
atteaded the Manchester Grammar School, a prestigious day school founded in 
1515. After developing an aversion to studying Greek and Latin, he proclaimed 
an interest in science. He soon developed a passion for mathematics under 
the guidance of excellent instructors. In 1968, he won a silver medal at the 
International Mathematics Olympiad. In the fall of 1968, Cocks entered King’s 
College, Cambridge. He later graduated with a degree in mathematics and spent 
a short time at Oxford University studying number theory. In 1973, he took a 


job doing mathematical work at the Government Communications Headquarters (GCHQ) of British 
intelligence. Two months after joining GCHQ, Cocks’ mentor told him about the idea of public bey 
cryptography, which was described in an internal report written by another employee, James Ellis. 
Just a day later, Cocks leveraged his number theory knowledge to invent what is now called the 
RSA cryptosystem. He was quickly led to this idea when he cealized that reversing the process of 
multiplying two large primes could be used as the basis of a public key cryptosystem. Only in 1997, 
24 years after his discovery, was Cocks permitted to share with the world declassified GCHQ internal 
documents describing his discovery. Besides his invention of the RSA cryptosystem, Cocks is own 
for his invention of a secure identity-based encryption scheme, which uses information about a user’s 
identity as a public key. In 2001, Cocks became the Chief Mathematician at GCHQ. He is proud of 
his work setting up the Heilbronn Institute for Mathematical Research, a partnership between GCHQ 
and the University of Bristol. 
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1520 0111 0802 1004 
2402 1724 1519 1406 
1700 1507 2423, 


where we have added the dummy letter X = 23 at the end of the passage to fill out the 
final block. 


We encrypt each plaintext block into a ciphertext block, using the relationship 
C = P® (mod 2537). 


For instance, when we encrypt the first plaintext block 1520, we obtain the ciphertext 
block 


C = (1520)!3 = 95 (mod 2537). 


Encrypting all the plaintext blocks, we obtain the ciphertext message 
0095 1648 1410 1299 
0811 2333 2132 0370 
1185 1957 1084. 


To decrypt messages that have beenencrypted using this RSA cipher, we must find an 
inverse of e = 13 modulo $(2537) = $(43 - 59) = 42 - 58 = 2436. A short computation 
using the Euclidean algorithm, as done in Section 4.2, shows that d = 937 is an inverse of 
13 modulo 2436. Consequently, to decrypt the ciphertext block C, we use the relationship 


P =C®" (mod 2537), 0 < P < 2537, 
which is valid because 
C77 = (p13)7 = (p™°)°P = P (mod 2537). 
Note that we have used Euler’s theorem to see that 
p? (2537) — p2436 — 1 (mod 2537), 


when (P, 2537) = 1 (which is true for all of the plaintext blocks in this example). < 


The Security of the RSA Cryptosystem To understand how the RSA cryptosystem 
fulfills the requirements of a public key cryptosystem, first note that each individual can 
find two large primes p and q, each with 200 decimal digits, in just a few minutes of 
computer time. These primes can be found by picking odd integers with 200 digits at 
random; by the prime number theorem, the probability that such an integer is prime 
is approximately 2/log 10?°°. Hence, we expect to find a prime after examining an 
average of 1/(2/log 107), or approximately 230, such integers. To test these randomly 
chosen odd integers for primality, we use Rabin’s probabilistic primality test (discussed 
in Section 6.2). For each of these 200-digit odd integers, we perform Miller’s test for 100 
bases less than the integer; the probability that a composite integer passes all these tests 
is less than 10-™. The procedure we have just outlined requires only a few minutes of 
computer time to find a 200-digit prime, and each individual need do so only twice. 
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Once the primes p and q have been found, an encrypting exponent e must be chosen 
such that (e, (pq)) = 1. One suggestion for choosing e is to take any prime greater than 
both p and qg. No matter how e is found, it should be true that 2° > n = pq, so that it is 
impossible to recover the plaintext block P, P #0 or 1, just by taking the eth root of 
the integer C with C = P*® (mod n),0 < C <7. As long as 2° > n, every message, other 
than P = 0 and 1, is encrypted by exponentiation followed by a reduction modulo n. 


We note that the modular exponentiation needed for encrypting messages using 
the RSA cryptosystem can be done using only a few seconds of computer time using 
the fast modular exponentiation algorithm described in Section 4.1 when the modulus, 
exponent, and base in the modular exponentiation have as many as 500 decimal digits. 
Also, using the Euclidean algorithm, we can rapidly find an inverse d of the encryption 
exponent e modulo ¢(n) when the primes p and q are known, so that @(n) = (pq) = 
(p — 1)(q — 1) is known. 


To see why knowledge of the encrypting key (e, n) does not easily lead to the 
decrypting key (d,7), note that to find d, an inverse of e modulo @¢(n), requires 
that we first find @(n) = $(pq) = (p — Iq — 1). Note that finding @(n) is not eas- 
ier than factoring the integer n. To see why, note that p+ q=n-—(n) +1 and 
p-—q=V(p +4) — 47q = V(p + 4)? — 4n and that p = 3[(p + q) + (p — 4) and 
q= 5 Pp +4q)—(p —q)]. Consequently, p and qg can easily be found when n = pq 
and @(n) = (p — 1)(g — 1) are known. Note that when p and q both have approximately 
200 decimal digits, n = pq has approximately 400 decimal digits. Using the fastest fac- 
torization algorithm known, millions of years of computer time are required to factor an 
integer of this size. Also, if the integer d is known, but ¢(7) is not, then n may also be 
factored easily, because ed — 1 is a multiple of #(n) and there are special algorithms for 
factoring an integer n using any multiple of ¢(n) (see [Mi76]). 


It has not been proven that it is impossible to decrypt messages encrypted using the 
RSA cryptosystem without factoring 1, but so far no such method has been discovered. 
(For example, we could decrypt RSA ciphertext if an algorithm existed that could 
quickly find eth roots modulo n that did not depend on knowledge of the factorization 
of n.) As yet, all decrypting methods that work in general are equivalent to factoring n, 
and, as we have remarked, factoring large integers seems to be an intractable problem, 
requiring wemendous amounts of computer time. If no method of decrypting RSA 
messages without factoring the modulus 7 is found, the security of the RSA system 
can be maintained by increasing the size of the modulus as factoring methods and 
computational power improve. Unfortunately, messages encrypted using the RSA will 
become vulnerable to attack when factoring the modulus n becomes feasible. This means 
that extra care should be taken—for example, by using primes p and q each with several 
hundred digits—to protect the secrecy of messages that must be kept secret for tens, or 
hundreds, of years. 


Note that a few extra precautions should be taken in choosing the primes p and 
q to be used in the RSA cryptosystem, to prevent the use of special rapid techniques 
to factor n = pq. For example, both p — 1 and g — 1 should have large prime factors, 
(p — 1, q — 1) should be small, and p and qg should not be too close together (see Exercise 
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12), which can be avoided by selecting them with decimal expansions differing in length 
by a few digits. 


As we have remarked, the security of the RSA cryptosystem depends on the difficulty 
of factoring large integers. In particular, for the RSA cryptosystem, once the modulus 
n has been factored it is easy to find the decrypting transformation from the encrypting 
transformation. Note, however, that it may be possible to somehow find the decrypting 
transformation from the encrypting transformation without factoring n, although this 
seems unlikely at present. 


Attacks on Implementations of the RSA Cryptosystem 


After more than 30 years of scrutiny, a variety of attacks on particular implementations 
of the RSA cryptosystem have been devised. These attacks show that care must be taken 
when implementing RSA to avoid particular vulnerabilities, called protocol failures. 
Note that no fundamental vulnerability has been found that would make RSA unsuitable 
for use as a public key cryptosystem. We will describe a variety of these attacks. The 
interested reader should consult [Bo99]. 


Encrypting the same plaintext message with different keys can lead to a successful 
Hastad broadcast attack. For example, when the encryption exponent 3 is used by three 
different people with different encryption moduli to encrypt the same plaintext message, 
someone who has the three ciphertext messages produced can recover the original plain- 
text. In general, it is possible to recover a plaintext message from ciphertext produced 
by encrypting the message using different RSA encryption keys when sufficiently many 
copies of the message have been encrypted. This type of attack can even succeed if the 
original message is altered for each recipient in a way that produces linearly related 
plaintext. To avoid this vulnerability, different random paddings of the message should 
be encrypted. 


We now describe a vulnerability of RSA found by M. Wiener [Wi90]. He showed 
that the decrypting exponent d of an RSA cryptosystem with encrypting key (e, n) can be 
efficiently determined ifn = pq, p andq are primes withg < p < 2q, and the decrypting 
exponent d is less than n'/4/3. (In Chapter 12, we will use the theory of continued 
fractions to develop this attack.) This result shows that primes p and q that are not 
too close together should be used to produce the encrypting modulus and a decrypting 
exponent d that is relatively large should be used. Although it is customary to first select 
the encryption key in an RSA cipher, we can make the decrypting exponent large by 
selecting it first, and then using it to compute the encrypting exponent e. 


Disclosing partial information about one of the primes that make up the encrypting 
modulus n leads to another weakness of the RSA cryptosystem. Suppose that n = pq 
has m digits. Then knowing the initial m/4 or the final m/4 digits of p allows n to be 
efficiently factored. For example, when both p and q have 100 decimal digits, if we 
know the first 50 or the last 50 digits of p, we will be able to factor n. Details of this 
partial key disclosure attack can be found in [Co97]. A similar result shows that if we 
know the last m/4 digits of the decrypting exponent d, then we can efficiently find d 
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using O(e log e) operations. This shows that if the encryption exponent e is small, the 
decryption exponent d can be found if we know the last 1/4 of its digits. 


The final type of attack we mention was discovered by Paul Kocher in 1995 when 
he was an undergraduate at Stanford University. He demonstrated that the decryption 
exponent in the RSA cryptosystem can be determined by carefully measuring the time 
required for the system to perform a series of decryptions. This provides information that 
can be used to determine the decryption key d. Fortunately, it is easy to devise methods 
to thwart this attack. For a description of this attack, see [TrWa02] and the article by 
Kocher [Ko96a]. 


The widespread acceptance and use of the RSA cryptosystem makes it an inviting 
target for attack. That only minor vulnerabilities have been found has given people con- 
fidence in the practical use of this cryptosystem. This fuels the search for vulnerabilities 
in this popular cryptosystem. 


The Rabin Cryptosystem 


Michael Rabin [Ra79] discovered a variant of the RSA cryptosystem for which factor- 
ization of the modulus n has almost the same computational complexity as obtaining 
the decrypting transformation from the encrypting transformation. To describe Rabin’s 
cryptosystem, let n = pq, where p and q are odd primes, and let b be an integer with 
0 <b <n. To encrypt the plaintext message P, we form 


C = P(P +b) (mod n). 


We will not discuss the decrypting procedure for Rabin ciphers here, because it relies 
on some concepts that we have not yet developed (see Exercise 49 in Section 11.1). 
However, we remark that there are four possible values of P for each ciphertext C such 
that C = P(P +b) (mod zn), an ambiguity that complicates the decrypting process. When 
p and q are known, the decrypting procedure for a Rabin cipher can be carried out rapidly 
because O(log n) bit operations are needed. 


Rabin has shown that if there is an algorithm for decrypting in this cryptosystem, 
without knowledge of the primes p and q, that requires f (n) bit operations, then there 
is an algorithm for the factorization of n requiring only 2(f (n) + log n) bit operations. 
Hence, the process of decrypting messages encrypted with a Rabin cipher without knowl- 
edge of p and q is a problem of computational complexity similar to that of factorization. 
For more information about the Rabin public key cryptosystem, see [MevaVa97]. 


EXERCISES 


. Find the primes p and q if n = pq = 14,647 and ¢(n) = 14,400. 
2. Find the primes p and q if n = pq = 4,386,607 and ¢(n) = 4,382, 136. 


. Suppose a cryptanalyst discovers a message P that is not relatively prime to the enciphering 


modulus n = pq used in an RSA cipher. (He can confirm this by running the Euclidean 
algorithm.) Show that the cryptanalyst can factor 7. 
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. Show that it is extremely unlikely that a message such as that described in Exercise 3 can be 


discovered. Do this by demonstrating that the probability that a message P is not relatively 
prime to n is 7 + + — on and if p and q are both larger than 10!™, this probability is less 
than 10-9. In this exercise, assume that it is equally likely for a message to fall into each 


residue classes modulo n 


. What is the ciphertext that is produced when RSA encryption with key (e, n) = (3, 2669) is 


used to encrypt the message BEST WISHES? 


. What is the ciphertext that is produced when RSA encryption with key (e, n) = (7, 2627) is 


used to encrypt the message LIFE IS A DREAM? 


. If the ciphertext message produced by RSA encryption with the key (e, n) = (13, 2747) is 


2206 0755 0436 1165 1737, what is the plaintext message? 


. If the ciphertext message produced by RSA encryption with the key (e, n) = (5, 2881) is 


0504 1874 0347 0515 2088 2356 0736 0468, what is the plaintext message? 


. Encrypt the message SELL NOW using the Rabin cipher C = P(P + 5) (mod 2573). 
10. 
11. 


Encrypt the message LEAVE TOWN using the Rabin cipher C = P(P + 11) (mod 3901). 


Suppose that Bob, extremely concerned with security, selects an encrypting modulus 7, 
n = pq, where p and q are large primes, and two encrypting exponents e, and e. He asks 
Alice to double encrypt messages set to him by first encrypting plaintext using the RSA 
cipher with encryption key (e,, m) and then encrypting the resulting ciphertext again using 
the RSA cipher with encryption key (e2, n). Does Bob gain any extra security by this double 
encryption? Justify your answer. 


Explain why we should not choose primes p and q that are too close together to form the 
encrypting exponent n in the RSA cryptosystem. In particular, show that using a pair of twin 
primes for p and g would be disastrous. (Hint: Recall Fermat’s factorization method.) 


Suppose that two parties share a common modulus n in the RSA cryptosystem, but have 
different encrypting exponents. Show that the plaintext of a message sent to each of these 
two parties encrypted using each of their RSA keys can be recovered from the ciphertext 
messages. 


Show that if the encryption exponent 3 is used for the RSA cryptosystem by three different 
people with different moduli, a plaintext message P encrypted using each of their keys can 
be recovered from these resulting three ciphertext messages. (Hint: Suppose that the moduli 
in these three keys are nj, nz, and n3. First find a common solution to the congruences 
x,= P? (mod n;), i = 1, 2, 3.) (This is an example of a Hastad broadcast attack.) 


Describe how an RSA cryptosystem works if the encrypting modulus n is the product of three 
primes, rather than two primes. 


Suppose that two people have RSA encrypting keys with encrypting moduli n, and nj, 
respectively, when n, #7. Show how you could break the system if (n,, 12) > 1. 


Suppose we use RSA encryption with the same key to encrypt plaintext messages P, and P3, 
and their product P = P; P,. Show that the ciphertext obtained when P is encrypted equals the 
product of the ciphertexts C, and Cj, produced when P, and P, are encrypted, respectively, 
reduced modulo n, where n is the encryption modulus. 


Suppose that Alice’s RSA encryption key is (e, m) and that C is the ciphertext produced when 
she encrypts the plaintext message P . Show that Eve can recover P after intercepting C if she 
manages to obtain the result of Alice’s decryption of C’ = Cr°, where r is a random integer 
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that Eve has selected. (Alice decrypts C’ because she has been fooled into thinking it is a 
valid message. Eve is able to obtain the result when Alice throws away what seems to her to 
be nonsense. ) 


Computations and Explorations 


1. 


Construct a key for the RSA cipher for inclusion in a directory of encryption keys for the 
members of your class. 


. Foreach member of your class, encrypt a message using the RSA cipher with the public keys 


published in the directory. 


. Decrypt the messages sent to you by your classmates that were encrypted using your RSA 


encryption key. 


Programming Projects 


1. 
2. 


3. 
4. 


Generate valid keys (e, n) for the RSA cryptosystem. 


Given a valid key (e, n) for the RSA cryptosystem and the factorization n = pq where p and 
q are primes, find the corresponding decryption key d. 


Given a message, encrypt a message using the RSA cipher with a given key (e, n). 


Given a message that was encrypted using an RSA cipher with encryption key (e, n) and the 
corresponding decryption key d, decrypt it. 


Knapsack Ciphers 


In this section, we discuss cryptosystems based on the knapsack problem. Given a set 
of positive integers a), a), ..., a, and an integer S, the knapsack problem asks which 
of these integers, if any, add together to give §. Another way to phrase the knapsack 
problem is to ask for values of x, x2, ..., X,, each either 0 or 1, such that 


(8.3) S = 4X, + oxo +--+ +ayX,. 


We use an example to illustrate the knapsack problem. 


Example 8.17. Let (a), a), a3, a4, as) = (2, 7, 8, 11, 12) and S = 21. By inspection, 
we see that there are two subsets of these five integers that add together to give 21, 
namely, 21=2+8+11=2+7+12. Equivalently, there are exactly two solutions to 
the equation 2x, + 7x7 + 8x3 + 11x4+ 12x5 = 21, with x; =0or 1 fori = 1, 2, 3, 4, 5. 
These solutions are x; = x3 = x4 = 1, x» = x5 =0, and x, =x. =x5= 1, x3 =x, = 0. 

< 


To verify that equation (8.3) holds, where each x; is either 0 or 1, requires that we 
perform at most n additions. On the other hand, to search by trial and error for solutions of 
(8.3) may require that we check all 2” possibilities for (x1, x2, ..., x,,). The best method 
known for finding a solution of the knapsack problem requires O(2”/2) bit operations, 


332 


Cryptology 


which makes a computer solution of a general knapsack problem extremely infeasible 
even when n = 100. 


Certain values of the integers a, ay, ..., a, make the solution of the knapsack 
problem much easier than the solution in the general case. For instance, if a; = pe 
to solve S = a,x; + aoX2 +---+a,X,, where x; =0 or 1 fori = 1,2, ...,7, simply 
requires that we find the binary expansion of S. We can also produce easy knapsack 
problems by choosing the integers a), a2, ..., a, so that the sum of the first j — 1 of 
these integers is always less than the jth integer, that is, so that 


j-1 
>. a <4;, [oe eee | 
i=] 


If a sequence of integers a1, a2, ..., a, Satisfies this inequality, we call the sequence 
super-increasing. 


Example 8.18. The sequence 2, 3, 7, 14, 27 is super-increasing because 3 > 2, 7 > 
34+2,14>7+4+3+4+2, and 27> 144+74+3+42. < 


To see that knapsack problems involving super-increasing sequences are easy to 
solve, we first consider an example. 


Example 8.19. Let us find the integers from the set 2, 3, 7, 14, 27 that have 37 as 
their sum. First, we note that because 2 + 3+ 7+ 14 < 27, a sum of integers from 
this set can only be greater than 27 if the sum contains the integer 27. Hence, if 
2x1 + 3x2 + 7x3 + 14x4 + 27x5 = 37 with each x; = 0 or 1, we must have x5 = 1 and 
2x; + 3x» + 7x3 + 14x, = 10. Because 14> 10, x4 must be 0 and we have 2x, + 
3x2 + 7x3 = 10. Because 2 + 3 < 7, we must have x3 = 1 and therefore 2x, + 3x, = 3. 
Obviously, we have x2 = 1 and x, = 0. The solution is 37 = 3 + 7 + 27. < 


In general, to solve knapsack problems for a super-increasing sequence aj, a>, ... , 
a,, that is, to find the values of x1, x2, ..., x, with S = a,x, + aox.+---+ a,x, and 
x; =Oor 1 fori = 1, 2,..., when S is given, we use the following algorithm. First, 
we find x, by noting that 


_ fl ifS>a,; 
"10 ifS <a,. 


Then, we find x, 1, X,_2, - -- , Xj, in succession, using the equations 


| 1 ifS— inj 219i > aj; 


x; = . n 
O if S — ye i411 < aj, 


J 


forj=n—1,n—2,...,1. 


To see that this algorithm works, first note that if x, =0 when S >a,, then 
Yy1 4%; < a a; < a, < S, contradicting the condition }"_, ajx; = S. Similarly, 
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: n n yok n 
if x; =0 when S— ))j_ 5,1 %1@; 2 @;, then a1 GS jay i + UF 41 414i < 


n . . ° . . 
a;+ paar, 41 414; < S, which is again a contradiction. 


Using this algorithm, knapsack problems based on super-increasing sequences can 
be solved extremely quickly. We now discuss a cryptosystem based on this observation, 
invented by Merkle and Hellman [MeHe78], that was initially considered a good choice 
for a public key cryptosystem. (We will comment more about this later in this section.) 


The ciphers that we describe here are based on transformed super-increasing se- 
quences. To be specific, let a), ay, ..., a, be super-increasing and let m be a positive 
integer with m > 2a, Let w be an integer relatively prime to m with inverse w modulo 
m. We form the sequence by, by, ..., b,, where b; = wa; (mod m) and 0 <b; <m. We 
cannot use this special technique to solve a knapsack problem of the type S = oy b;X;; 
where S is a positive integer, because the sequence b,, b>, . . . , b, isnot super-increasing. 
However, when w is known, we can find 


n n 
(8.4) WS =) wb;x; = >) a;x; (mod m), 


i=l i=1 


because wb j =a; (mod m). From (8.4), we see that 


n 
So= >. aixi, 
i=1 


where Spo is the least positive residue of WS modulo m. We can easily solve the equation 


n 
So= »s a;X;j, 
i=l 


because a, az, ... , d, iS Super-increasing. This solves the knapsack problem 


S= > b;x;, 
i=l 


because b; = wa; (mod m) and 0<b; <m. We illustrate this procedure with an 
example. 


Example 8.20. The super-increasing sequence (a), a2, 43, a4, a5) = (3, 5, 9, 20, 44) 
can be transformed into the sequence (b, b>, b3, by, bs) = (23, 68, 69, 5, 11) by taking 
b = 67a ; (mod 89), for j = 1, 2, 3, 4, 5. To solve the knapsack problem 23x, + 68x + 
69x3 + 5x4 + 11x5 = 84, we can multiply both sides of this equation by 4, an inverse 
of 67 modulo 89, and then reduce modulo 89, to obtain the congruence 3x, + 5x2 + 
9x3 + 20x, + 44x5 = 336 = 69 (mod 89). Because 89 > 3+5+9-+ 20+ 44, we can 
conclude that 3x, + 5x2 + 9x3 + 20x4 + 44x5 = 69. The solution of this easy knapsack 
problem is x5 = x4 = xX» = land x3 = x, = 0. Hence, the original knapsack problem has 
as its solution 68 + 5+ 11= 84. < 
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The cryptosystem based on the knapsack problem invented by Merkle and Hellman 
works as follows. Each individual chooses a super-increasing sequence of positive 
integers of a specified length, say, N (for example, aj, ad),..., ay), aS well as a 
modulus m withm > 2ay and a multiplier w with (m, w) = 1. The transformed sequence 
b,, bz, ..., 6, is made public. When someone wishes to send a message P to this 
individual, the message is first wanslated into a string of zeros and ones using the binary 
equivalents of letters, as shown in Table 8.10. This string of zeros and ones is next split 
into segments of length N (for simplicity, we suppose that the length of the string is 
divisible by N; if not, we can simply fill out the last block with all ones). For each block, 
a sum is computed using the sequence by, b2, . .. , by: for instance, the block xx... xy 
gives S = b)x; + boxy +---+ byxXy. Finally, the sums generated by each block form 
the ciphertext message. 


We note that to decipher ciphertext generated by the knapsack cipher, without 
knowledge of m and w, requires that a group of hard knapsack problems of the form 


(8.5) S = bx, + boxo + secs + byxn 
be solved. On the other hand, when m and w are known, the knapsack problem (8.5) can 
be transformed into an easy knapsack problem, because 
ws = whix, + Whox tee + wWbhyxNn 
= AX + AnX_ +--++ayXn (modm), 


in which wb; = a; (mod m), where w is an inverse of w modulo m, so that 


(8.6) So = GX, + AgxX_ +--+ + anyxy, 
Binary Binary 
Letter Equivalent Letter |Equivalent 
A 00000 N 01101 
B 00001 O 01110 
C 00010 P 01111 
D 00011 Q 10000 
E 00100 R 10001 
F 00101 S 10010 
G 00110 T 10011 
H 00111 U 10100 
I 01000 Vv 10101 
J 01001 WwW 10110 
K 01010 ».4 10111 
L 01011 Y 11000 
M 01100 Z 11001 


Table 8.10 The binary equivalents of letters. 
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where Spo is the least positive residue of wS modulo m. We have equality in (8.6), because 
both sides of the equation are positive integers less than m that are congruent modulo m. 


We illustrate the encrypting and decrypting procedures of the knapsack cipher with 
an example. We start with the super-increasing sequence (dj, a2, @3, A4, a5, Ag, a7, Ag, 
dg, 419) = (2, 11, 14, 29, 58, 119, 241, 480, 959, 1917). We take m = 3837 as the en- 
crypting modulus, so that m > 2a,9, and w = 1001 as the multiplier, so that (m, w) = 1, 
to wansform the super-increasing sequence into the sequence (2002, 3337, 2503, 2170, 
503, 172, 3347, 855, 709, 417). 


To encrypt the message 
REPLY IMMEDIATELY, 


we first translate the letters of the message into their five-digit binary equivalents, as 
shown in Table 8.10, and then group these digits into blocks of ten, to obtain 


1000100100 0111101011 1100001000 
0110001100 0010000011 0100000000 
1001100100 0101111000. 


For each block of ten binary digits, we form a sum by adding together the appropriate 
terms of the sequence (2002, 3337, 2503, 2170, 503, 172, 3347, 855, 709, 417) in the 
slots corresponding to positions of the block containing a digit equal to 1. This gives us 


3360 12986 8686 10042 3629 3337 5530 9529. 


For instance, we compute the first sum, 3360, by adding 2002, 503, and 855. 


To decrypt, we find the least positive residue modulo 3837 of 23 times each sum, 
because 23 is an inverse of 1001 modulo 3837, and then we solve the corresponding 
easy knapsack problem with respect to the original super-increasing sequence (2, 11, 
14, 29, 58, 119, 241, 480, 959, 1917). For example, to decrypt the first block, we find 
that 3360 - 23 = 540 (mod 3837), and then note that 540 = 480 + 58 + 2. This tells us 
that the first block of plaintext binary digits is 1000100100. 


Knapsack ciphers originally seemed to be excellent candidates for use in public key 
cryptosystems. However, in 1982 Shamir [Sh84] has shown that they are not satisfactory 
for public key cryptography. The reason is that there is an efficient algorithm for solving 
knapsack problems involving sequences bj, by, ... , b, with b; = wa; (mod m), where 
w and m are relatively prime positive integers and aj, az, ..., a, iS a Super-increasing 
sequence. The algorithm found by Shamir can solve these knapsack problems using only 
O(P (n)) bit operations, where P is a polynomial, instead of requiring exponential time, 
as is required for known algorithms for general knapsack problems involving sequences 
of a general nature. Although we will not go into the details of the algorithm found by 
Shamir here, the reader can find these details by consulting [0d90]. 


There are several possibilities for altering this cryptosystem to avoid the weakness 
found by Shamir. One such possibility is to choose a sequence of pairs of relatively prime 
integers (w,, 7m), (W2, m2), ..., (w,;, m,), and then form the series of sequences 
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bi =wya; (mod m) 


b?) = wb? (mod m)) 


bY? = w,be-» (mod m,), 
for j = 1, 2,...,n. We then use the final sequence BW”, B®, ree be ) as the encrypt- 
ing sequence. Unfortunately, efficient algorithms have been found for solving knapsack 
problems involving sequences obtained by iterating modular multiplications with differ- 
ent moduli. 


A comprehensive discussion of knapsack ciphers can be found in [0d90]. This 
article describes knapsack ciphers and their generalizations, and goes on to explain the 
attacks that have been found for breaking them. 


EXERCISES 


. Decide whether each of the following sequences is super-increasing. 


a) (3, 5, 9, 19, 40) c) (3, 7, 17, 30, 59) 
b) (2, 6, 10, 15, 36) d) (11, 21, 41, 81, 151) 


. Show thatifa,, ay, ..., a, isasuper-increasing sequence, thena, > 2I- for j =1,2,...,n. 
3. Show that the sequence aj, a>, ..., a, is super-increasing if aj41> 2a; for’ =1, 2.-<s55 
n—l. 


4. Find all subsets of the integers 2, 3, 4, 7, 11, 13, 16 that have 18 as their sum. 
5. Find the sequence obtained from the super-increasing sequence (1, 3, 5, 10, 20, 41, 81) when 


modular multiplication is applied with multiplier w = 17 and modulus m = 163. 


. Encrypt the message BUY NOW using the knapsack cipher based on the sequence obtained 


from the super-increasing sequence (17, 19, 37, 81, 160), by performing modular multipli- 
cation with multiplier w = 29 and modulus m = 331. 


. Decrypt the ciphertext 402 75 120 325 that was encrypted by the knapsack cipher based on the 


sequence (306, 374, 233, 19, 259). This sequence is obtained by using modular multiplication 
with multiplier w = 17 and modulus m = 464, to transform the super-increasing sequence 
(18, 22, 41, 83, 179). 


. Find the sequence obtained by applying successively the modular multiplications with multi- 


pliers and moduli (7,92), (11,95), and (6,101), respectively, on the super-increasing sequence 
(3, 4, 8, 17, 33, 67). 


. What process can be employed to decrypt messages that have been encrypted using knapsack 


ciphers that involve sequences arising from iterating modular multiplications with different 
moduli? 


A multiplicative knapsack problem is a problem of the following type: Given positive integers 
a}, ay, ..., 4a, and a positive integer P, find the subset, or subsets, of these integers with product 
P, or equivalently, find all solutions of 


— grigt2... qin 
P=a;'a, a", 
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where x; =Oor1 for j=1,2,...,n. 


10. 
11. 
12. 


13. 


14. 


Find all products of subsets of the integers 2, 3, 5, 6, 10 equal to 60. 
Find all products of subsets of the integers 8, 13, 17, 21, 95, 121 equal to 15,960. 


Show that if the integers a), a2, ..., a, are pairwise relatively prime, then the multiplicative 
knapsack problem P = aj'a3” ---a%»,x; =Oor 1 for j = 1, 2, ..., is easily solved from 
the prime factorizations of the integers P, a,, az, . . ., a,, and show that if there is a solution, 
then it is unique. 


Show that by taking logarithms to the base b modulo m, where (b, m) = 1 and0O<b<™m, 
the multiplicative knapsack problem 


= * Da ive x; 
P=a;,a, a” 


is converted into an additive knapsack problem 
S = 4X1 + QXy +++ + OyXp, 


where S, a1, @,..., a, are the logarithms of P, a;, aj, ..., a, to the base b modulo m, 
respectively. 


Explain how Exercises 12 and 13 can be used to produce ciphers where messages are easily 
decrypted when the mutually relatively prime integers a,, az, ..., a, are known, but cannot 
be decrypted quickly when the integers a), a, ..., a, are known. 


Computations and Explorations 


1. 


Starting with a super-increasing sequence that you have constructed, perform modular mul- 
tiplication with modulus m and multiplier w to find a sequence to serve as your public key 
for the knapsack cipher. 


2. Foreach of your classmates, encrypt a message using their public key for the knapsack cipher. 


3. Decrypt the messages that were sent to you by classmates. 


4. Using algorithms described in [0d90], solve knapsack problems based on a sequence obtained 


by modular multiplication of a super-increasing sequence. 


Programming Projects 


>= WS N -_ 


. Given a knapsack problem, solve it by trial and error. 
. Given a knapsack problem involving a super-increasing sequence, solve it. 
. Given a message, encrypt it using a knapsack cipher. 


. Given a message that was encrypted using knapsack ciphers and the super-increasing se- 


quence used for this encryption, decrypt it. . 


. Encrypt and decrypt messages using knapsack ciphers involving sequences arising from 


iterating modular multiplications with different moduli. 


. Solve multiplicative knapsack problems involving sequences of mutually relatively prime 


integers (see Exercise 14). 
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Cryptographic Protocols and Applications 


In this section, we describe how cryptosystems can be used in protocols, which are 
algorithms carried out by two or more parties to achieve a specific goal, and in other 
cryptographic applications. In particular, we will show how two or more people can 
exchange encryption keys. We will also explain how messages can be signed using the 
RSA cryptosystem, and how cryptography can be used to allow people to play poker 
fairly over a network. Finally, we will show how people can share a secret, so that no 
one person knows the secret, but a large enough group of people can recover the secret 
by cooperating. These are only a few of the many examples of protocols and applications 
that we could discuss; the interested reader should consult [MevaVa97] to lea about 
additional protocols and applications based on the ideas we have covered in this chapter. 


Diffie-Hellman Key Exchange 


We will now discuss a protocol that allows two parties to exchange a secret key over 
an insecure communications link without having shared any information in the past. 
Exchanging keys is a problem of fundamental importance in cryptography. The method 
that we will describe was invented by Diffie and Hellman in 1976 (see [DiHe76]) and is 
called the Diffie-Hellman key agreement protocol. The common secret key generated by 
this protocol can be used as a shared key for asymmetric cryptosystem to be used during 
a particular communication session by parties who have never met or shared any prior 
information. It has the property that unauthorized parties cannot discover it in a feasible 
amount of computer time. 


To implement this protocol, we need a large prime p and an integer r such that the 
least positive residue of r* runs inclusively through all integers from 1 to p — 1. (This 
means that r is a primitive root of p, a concept that we will study in Chapter 9.) Both 
the large prime p and the integer r are public information. 


In this protocol, two parties who want to share a common key each pick a random 
private value from the set of positive integers between 1 and p — 2, inclusive. If the two 
parties select k, and ky, respectively, the first party sends the second party the integer yj, 
where 


y=r (mod p), 0<y <p, 
and the second party finds the common key K by computing 
K= ye = rkk2 (mod p), O< K <p. 
Similarly, the second party sends the first party the integer y2, where 
yo =r (mod p), 0<y2 <p, 
and the first party finds the common key K by computing 


K= yy! = rkke (mod p), 0<K <p. 
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The security of this key agreement protocol depends on the security of determining 
the secret key K, given the least positive residues of r“ and r* modulo p; that is, it 
depends on the difficulty of computing what are known as discrete logarithms modulo p 
(to be discussed in Chapter 9), which is thought to be a computationally difficult problem. 
It has been shown (see [Ma94}]) that breaking this protocol is equivalent to computing 
discrete logarithms, when certain conditions hold. 


In a similar manner, a common key can be shared by any group of n individuals. If 
these individuals have keys kj, kz, ..., k,, they can share the common key 


K = rhike"kn (mod p). 


We leave an explicit description of a method used to produce this common key as a 
problem for the reader. 


The topic of key establishment protocols extends far beyond what we have described 
here. Many different protocols for establishing shared keys have been developed, includ- 
ing protocols that make use of trusted servers for distributing keys. To leam more about 
this topic, consult Chapter 12 of [MevaVa97]. 


Digital Signatures 


When we receive an electronic message, how do we know that it has come from the 
supposed sender? We need a digital signature that can tell us that the message must 
have originated with the party who supposedly sent it. We will show that a public key 
cryptosystem, such as the RSA cryptosystem, can be used to send “signed” messages. 
When signatures are used, the recipient of a message is sure that the message came from 
the sender, and can convince an impartial judge that only the sender could be the source 
of the message. This authentication is needed for electronic mail, electronic banking, 
and electronic stock market transactions. To see how the RSA cryptosystem can be used 
to send signed messages, suppose that individual i wishes to send a signed message to 
individual j. The first thing that individual i does to a plaintext block P is to compute 


S = Dj,(P) = P% (mod nj), 


where (d;, n;) is the decrypting key for individual i, which only individual i knows. Then, 
ifn; >n;, where (e;, n;) is the encryption key for individual j, individual i encrypts S 
by forming 


c= E,,(S) = S*i(modn;), O<C <n;. 


When n; <n;, individual i splits S into blocks of size less than n ; and encrypts each 
block using the encrypting transformation E kj" 


For decrypting, individual j first uses the private decrypting transformation Dy, to 
recover S, because 


Dy, (C) = Dy,(Ex,(S)) = S. 
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To find the plaintext message P , supposedly sent by individual i, individual j next uses 
the public encrypting transformation E;,,, because 


Ey,(S) = Ey,(Dy,(P)) = P. 
Here, we have used the identity E k; (Dy; (P)) = P, which follows from the fact that 
Ey, (Dy,(P)) = (P4%)% = P%% = P (mod n;), 
because 
d;e; = 1 (mod $(n;)). 


The combination of the plaintext block P and the signed version § convinces individual j 
that the message actually came from individual i. Also, individual i cannot deny sending 
the message, because no one other than individual i could have produced the signed 
message S from the original message P. 


Electronic Poker 


An amusing application of exponentiation ciphers has been described by Shamir, Rivest, 
and Adleman [ShRiAd81]. They show that by using exponentiation ciphers, a fair game 
of poker may be played by two players, communicating via computers. Suppose that 
Alex and Betty wish to play poker. First, they jointly choose a large prime p. Next, 
they individually choose secret keys e, and ey, to be used as exponents in modular 
exponentiation. Let E,, and E,, represent the corresponding encrypting transformations, 
so that 


E,(M)= M“ (mod p) 
E.,(M) = M® (mod p), 


where M is a plaintext message. Let d, and d, be the respective inverses of e; and e 
modulo p, and let D,, and D,, be the corresponding decrypting transformations, so that 


D,,(C) = C® (mod p) 
D,,(C) = C® (mod p), 
where C is a ciphertext message. 
Note that encrypting transformations commute, that is, 
E,,(E¢,(M)) = E,,(E¢,(M)), 
because (M°2)*1 = (M°1)® (mod p). 
To play electronic poker, the deck of cards is represented by the 52 messages 


M, = “TWO OF CLUBS” 
M, = “THREE OF CLUBS” 


Ms2 = “ACE OF SPADES.” 


8.6 Cryptographic Protocols and Applications 341 


When Alex and Betty wish to play poker electronically, they use the following sequence 
of steps. We suppose that Betty is the dealer. 


1. Betty uses her encrypting transformation to encipher the 52 messages for the 
cards. She obtains E.,(M)), E.,(Mp), ep a E., (M52). Betty shuffles the deck, 
by randomly reordering the encrypted messages. Then she sends the 52 shuffled 
encrypted messages to Alex. 

2. Alex selects, at random, five of the encrypted messages that Betty has sent 
him. He returns these five messages to Betty and she decrypts them to find her 
hand, using her decrypted transformation D,, because D,,(E,(M)) = M for all 
messages M. Alex cannot determine which cards Betty has, because he cannot 
decrypt the encrypted messages E,.(M;), j =1,2,..., 52. 

3. Alex selects five other encrypted messages at random. Let these messages be 
Ci, Cz, C3, C4, and Cs, where 


Cj =E.,(M;,), 


j =1, 2, 3, 4, 5. Alex sends these five previously encrypted messages using his 
encrypted transformation. He obtains the five messages 


Cj = E.,((Cj) = Ee (Ee, (Mi), 


j =1, 2, 3, 4, 5. Alex sends these five messages that have been encrypted twice 
(first by Betty and afterward by Alex) to Betty. 


4. Betty uses her decrypted transformation De, to find 


D,.,(C;) _ De, (Ee, (Ee, (Mi ,))) 
= De,(Ee,(Ee,(Mi,))) 
because E,, (Ee, (M)) = E,, (Ee,(M)) and D., (E¢,(M)) = M for all messages 
M. Betty sends the five messages Ee (M;,) back to Alex. 


5. Alex uses his decrypting transformation D,, to obtain his hand, because 


De, (Ee, (Mi,)) = M;,. 


When a game is played where it is necessary to deal additional cards, such as draw 
poker, the same steps are followed to deal additional cards from the remaining deck. 
Note that using the procedure we have described, neither player knows the cards in the 
hand of the other player, and all hands are equally likely for each player. To guarantee 
that no cheating has occurred, at the end of the game both players reveal their keys so 
that each player can verify that the other player was actually dealt the cards claimed. 


A description of a possible weakness in this scheme, and how it may be overcome, 
may be found in the exercise set of Section 11.1. 
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Secret Sharing 


We now discuss another application of cryptography, namely, a method for sharing 
secrets. Suppose that in a communications network there is some vital, but extremely 
sensitive, information. If this information is distributed to several individuals, it becomes 
much more vulnerable to exposure; on the other hand, if this information is lost, there 
are serious consequences. An example of such information is the master key K used for 
access to the password file in a computer system. 


To protect this master key K from both loss and exposure, we construct shadows 
ki, ko, ..., k,, which are given to r different individuals. We will show that the key K 
can be produced easily from any s of these shadows, where s is a positive integer less 
than 7, whereas the knowledge of less than s of these shadows does not permit the key 
K to be found. Because at least s different individuals are needed to find K, the key 
is not vulnerable to exposure. In addition, the key K is not vulnerable to loss, because 
any s individuals from the r individuals with shadows can produce K. Schemes with 
properties we have just described are called (s, r)-threshold schemes. 


To develop a system that can be used to generate shadows with these properties, we 
use the Chinese remainder theorem. We choose a prime p greater than the key K anda 
sequence of pairwise relatively prime integers m, m2, ..., m, that are not divisible by 
p, such that 


m,<M2<-+++<m,, 
and 
(8.7) myjm2---M, > pm,M,_1°** My_s49- 


Note that the inequality (8.7) states that the product of the s smallest of the integers m ; 
is greater than the product of p and the s — 1 largest of the integers m ;. From (8.7), we 
see that if M = m,m,---m,, then M/p is greater than the product of any set of s — 1 


of the integers m ;. 


Now let ¢ be a nonnegative integer less than M/p that is chosen at random. Let 
Ko =K +t D; 


so that 0 < Kg < M — 1 (because O< Kg=K +tp<p+t+tp=(t+1)p<(M/p)p 
= M). 


To produce the shadows ky, kz, ..., k,, we let k; be the integer such that 


k; =Ko(modm,), O<k; <m,, 
for j = 1, 2,..., 7. To see that the master key K can be found by any s individuals from 
the total of r individuals with shadows, suppose that the s shadows kj,» k pions kj, 
are available. Using the Chinese remainder theorem, we can easily find the least positive 
residue of Ky modulo M;, where M; =m j,m,, - --m, . Because we know that 0 < Kg < 


M < Mj, we can determine Ko, and then find K = Kg — tp. 
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On the other hand, suppose that we know only the s — 1 shadows Ki Ki,» sae Kj is 
By the Chinese remainder theorem, we can determine the least positive residue a of Ko 
modulo M;, where M; = m;,m;,---mj,,_,. With these shadows, the only information we 


have about Ko is that a is the least positive residue of Ky modulo M; and < Kg < M. 
Consequently, we only know that 


Kjp=a+xM,, 


where 0 < x < M/M,;. From (8.7), we can conclude that M/M; > p, so that as x ranges 
through the positive integers less than M/M,, x takes every value in a full set of residues 
modulo p. Because (m;, p)=1 for j = 1, 2,..., 5, we know that (M;, p) = 1 and, 
consequently, a + x M; runs through a full set of residues modulo p as x does. Hence, 
we see that the knowledge of s — 1 shadows is insufficient to determine Ko, as Kg could 
be in any of the p congruence classes modulo p. 


We use an example to illustrate this threshold scheme. 


Example 8.21. Let K =4 be the master key. We will use a (2, 3)-threshold scheme 
of the kind just described, with p = 7, m, = 11, m2 = 12, and m3 = 17, so that M = 
mm, = 132 > pm3 = 119. We pick t = 14 randomly from among the positive integers 
less than M/p = 132/7. This gives us 


Kp=K +tp=4+4+ 14-7= 102. 
The three shadows kj, ky, and k3 are the least positive residues of Ky modulo m, my, 
and m3; that is, 
k, = 102 =3 (mod 11) 
ky = 102 = 6 (mod 12) 
k3 = 102 = 0 (mod 17), 
so that the three shadows are k, = 3, ky = 6, and k3 = 0. 

We can recover the master key K from any two of the three shadows. Suppose we 
know that k, = 3 and k3 = 0. Using the Chinese remainder theorem, we can determine 
Ky modulo m m3 = 11- 17 = 187; in other words, because Ky = 3 (mod 11) and Ky = 0 
(mod 17), we have Ky = 102 (mod 187). Because 0 < Ky < M = 132 < 187, we know 


that Kp = 102, and consequently the master key is K = Ky — tp = 102 —- 14-7=4. 
< 


For more details on secret sharing schemes, see [MevaVa97]. 


EXERCISES 


. Using the Diffie-Hellman key agreement protocol, find the common key that can be used by 


two parties with keys k,; = 27 and k, = 31 when the modulus is p = 103 and the base r = 5. 


. Using the Diffie-Hellman key agreement protocol, find the common key that can be used by 


two parties with keys k; = 7 and k, = 8 when the modulus is p = 53 and the base is r = 2. 
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. What is the group key K that can be shared by three parties with keys k, = 3, kz = 10, and 


kz = 5, using the modulus p = 601 and base r = 7? 


. What is the group key K thatcan be shared by four parties with keys k, = 11, ky = 12, k3 = 17, 


and k, = 19, using the modulus p = 1009 and base r = 3? 


. Describe the steps of a protocol that allows n parties to share a common key, as described in 


the text. 


. Romeo and Juliet have as their RSA keys (5, 19 - 67) and (3, 11-71), respectively. 


a) Using the method in the text, what is the signed ciphertext message sent by Romeo to 
Juliet when the plaintext message is GOODBYE SWEET LOVE? 


b) Using the method in the text, what is the signed ciphertext message sent by Juliet to Romeo 
when the plaintext message is ADIEU FOREVER? 


. Harold and Audrey have as their RSA keys (3, 23 - 47) and (7, 31 - 59), respectively. 


a) Using the method in the text, what is the signed ciphertext sent by Harold to Audrey when 
the plaintext message is CHEERS HAROLD? 

b) Using the method in the text, what is the signed ciphertext sent by Audrey to Harold when 
the plaintext message is SINCERELY AUDREY? 


In Exercises 8 and 9, we present two methods for sending signed messages using the RSA cipher 
system, avoiding possible changes in block sizes. 


8. Let H be a fixed integer. Let each individual have two pairs of encrypting keys: k = (e, n) 


and k* = (e, n*) withn < H <n*, wheren and n* are each the product of two primes. Using 

the RSA cryptosystem, individual i can send a signed message P to individual j by sending 

Ey (Dy, (P)). 

a) Show that it is not necessary to change block sizes when the transformation E,+ is applied 
after D;, has been applied. ; 


b) Explain how individual j can recover the plaintext message P,, and why no one other than 
individual i could have sent the message. 

c) Let individual i have encrypting keys (3, 11-71) and (3, 29-41), so that 781 = 11- 
71 < 1000 < 1189 = 29 - 41, and let individual j have enciphering keys (7, 19 - 47) and 
(7, 31-37), so that 893 = 19 - 47 < 1000 < 1147 = 31-37. What ciphertext message 
does individual i send to individual j using the method given at the beginning of this 
exercise when the signed plaintext message is HELLO ADAM? What ciphertext message 
does individual j send to individual i when the signed plaintext message is GOODBYE 
ALICE? 


. a) Show that if individuals i and j have encrypting keys k; = (e;, n;) and k; = (e;, n;), 


respectively, where both n; and n; are products of two distinct primes, then individual i 
can send a signed message P to individual j without needing to change the size of blocks, 
by sending 


Ex, (Dy,(P)) if nj <n, 


Dy, (Ex, (P)) if n; < nj. 
b) How can individual j recover P? 
c) How can individual j guarantee that a message came from individual i? 


10. 


11. 


12. 


13. 


14. 
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d) Letk; = (11, 47- 61) andk, = (13, 43 - 59). Using the method described in part (a), what 
does individual i send to individual j if the message is REGARDS FRED, and what does 
individual j send to individual i if the message is REGARDS ZELDA? 


Decompose the master key K = 5 into three shadows using a (2, 3)-threshold scheme of the 
type described in the text, with p = 7, m, = 11, mz = 12, m3 = 17, and t = 14, as in Example 
8.21. 


Decompose the master key K = 3 into three shadows using a (2, 3)-threshold scheme of the 
type described in the text, with p = 5, m, = 8, m2 = 9, m3 = 11, andt = 13. 

Show how to recover the master key K from each of the three pairs of shadows found in 
Exercise 10. 


Show how to recover the master key K from each of the three pairs of shadows found in 
Exercise 11. 


Construct a (3, 5)-threshold scheme of the type described in the text. Use the scheme to 
decompose the master key K = 22 into five shadows, and show how the master key can be 
found using one set of three shadows so produced. 


COMPUTATIONAL AND PROGRAMMING EXERCISES 


Computations and Explorations 


. Produce a set of common keys using a prime p with more than 100 digits. 


. Produce some signed messages using the RSA cryptosystem and verify that these messages 


came from the supposed sender. 


. Construct a (4, 6)-threshold scheme that decomposes a master key into six shadows. Distribute 


these shadows to six members of your class, and then select three different groups of four of 
these six people, reconstructing the key from the four shadows of the people in each group. 


Programming Projects 


1. 
2. 


* 
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Produce common keys for individuals in a network. 


Given a message, the encryption key (e, ,) of the recipient, and the decryption key (d, 1) 
of the sender, sign and encrypt a message. 


. Send signed messages using an RSA cipher and the method in Exercise 8. 
. Send signed messages using an RSA cipher and the method in Exercise 9. 
. Play electronic poker using encryption via modular exponentiation. 

. Find the shadows in a threshold scheme of the type described in the text. 


. Given a set of shadows for the threshold scheme described in the text, recover the master key. 
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9.1 


Primitive Roots 


n this chapter, we will investigate the multiplicative structure of the set of integers 

modulo n, where n is a positive integer. First, we will introduce the concept of the order 
of an integer modulo n, which is the least power of the integer that leaves a remainder 
of 1 when it is divided by n. We will study the basic properties of the order of integers 
modulo n. A positive integer x, such that the powers of x run through all the integers 
modulo n, where n is a positive integer, is called a primitive root modulo n. We will 
determine for which integers n there is a primitive root modulo n. 


Primitive roots have many uses. For example, when an integer n has a primitive 
root, discrete logarithms (also called indices) of integers can be defined. These discrete 
logarithms enjoy many properties analogous to those of logarithms of positive real 
numbers. Discrete logarithms can be used to simplify computations modulo n. 


We will show how the results of this chapter can be used to develop primality tests 
that are partial converses of Fermat’s little theorem. These tests, such as Proth’s test, are 
used extensively to show that numbers of special forms are prime. We will also establish 
procedures that can be used to certify that an integer is prime. 


Finally, we will introduce the concept of the minimal universal exponent modulo n. 
This is the least exponent U for which x” = 1 (mod n) for all integers x. We will develop 
a formula for the minimal universal exponent of n, and use this formula to prove some 
useful results about Carmichael numbers. 


The Order of an Integer and Primitive Roots 


In this section, we begin our study of the least positive residues modulo n of powers of 
an integer a relatively prime to n, where n is an integer greater than 1. We will start by 
studying the order of a modulo n, the exponent of the least power of a congruent to 
1 modulo n. Then, we will study integers a such that the least positive residues of the 
powers of a run through all positive integers less than n that are relatively prime to n. 
Such integers, when they exist, are called primitive roots of n. One of our major goals 
in this chapter will be to determine which positive integers have primitive roots. 


The Order of an Integer 


By Euler’s theorem, if n is a positive integer and if a is an integer relatively prime to n, 
then a? = 1 (mod n). Therefore, at least one positive integer x satisfies the congruence 
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a* = 1 (mod n). Consequently, by the well-ordering property, there is a least positive 
integer x satisfying this congruence. 


Definition. Leta and n be relatively prime integers with a 4 0 and n positive. Then 
the least positive integer x such that a* = 1 (mod n) is called the order of a modulo n 
and is denoted by by ord,,a. 


This notation ord,,a was introduced by Gauss in his Disquisitiones Arithmeticae in 
1801. Unlike much other notation used by Gauss, this notation remains in common use. 
Example 9.1. To find the order of 2 modulo 7, we compute the least positive residues 
modulo 7 of powers of 2. We find that 

2! = 2 (mod 7), 2? = 4 (mod 7), 2? = 1 (mod 7). 
Therefore, ord72 = 3. 
Similarly, to find the order of 3 modulo 7, we compute 
3! = 3 (mod 7), 3? = 2 (mod 7), 3° = 6 (mod 7), 
34 = 4 (mod 7), 3° = 5 (mod 7), 3° = 1 (mod 7). 
We see that ord73 = 6. < 


To find all solutions of the congruence a* = 1 (mod n), we need the following 
theorem. 


Theorem 9.1. If a and n are relatively prime integers with a £4 0 and n > 0, then a 
positive integer x is a solution of the congruence a* = 1 (mod n) if and only if ord,a | x. 
Proof. If ord,a | x, then x = k - ord,,a, where k is a positive integer. Hence, 
a® = gk nd — (qg%4n2)k = 1 (mod n). 
Conversely, if a* = 1 (mod n), we first use the division algorithm to write 
x=q-:ord,at+r, O<r<ord,a. 
From this equation, we see that 
a= qi dnatr = (a%Xn2) Iq" =a" (mod n). 


Because a* = 1 (mod n), we know that a’ = 1 (mod n). From the inequality 0 <r < 
ord,a, we conclude that r = 0 because, by definition, y = ord,,a is the least positive 
integer such that a’ = 1 (mod n). Because r = 0, we have x = q - ord,a. Therefore, 
ord,,a | x. a 


Example 9.2. We can use Theorem 9.1 and Example 9.1 to determine whether x = 10 
and x = 15 are solutions of 2* = 1 (mod 7). By Example 9.1, we know that ord72 = 3. 
Because 3 does not divide 10, but 3 divides 15, by Theorem 9.1 we see that x = 10 is 
not a solution of 2” = 1 (mod 7), but x = 15 is a solution of this congruence. < 
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Theorem 9.1 leads to the following corollary. 


Corollary 9.1.1. Ifa andn are relatively prime integers with n > 0, then ord, a | @(n). 
Proof. Because (a, n) = 1, Euler’s theorem tells us that 
a?™ = 1 (mod n). 
Using Theorem 9.1, we conclude that ord,,a | 6(n). | 
We can use Corollary 9.1.1 as a shortcut when we compute orders. The following 


example illustrates the procedure. 


Example 9.3. To find the order of 7 modulo 9, we first note that @(9) = 6. Because 
the only positive divisors of 6 are 1, 2, 3, and 6, by Corollary 9.1.1 these are the only 
possible values of ordg7. Because 


7! =7 (mod 9), 7 =4 (mod 9), 7? = 1 (mod 9), 
it follows that ordg7 = 3. < 
Example 9.4. To find the order of 5 modulo 17, we first note that @(17) = 16. Because 


the only positive divisors of 16 are 1, 2, 4, 8, and 16, by Corollary 9.1.1 these are the 
only possible values of ord,75. Because 


5! = 5 (mod 17), 5? = 8 (mod 17), 5* = 13 (mod 17), 
5° = 16 (mod 17), 5!° = 1 (mod 17), 


we conclude that ord,75 = 16. < 
The following theorem will be useful in our subsequent discussions. 

Theorem 9.2. If a and n are relatively prime integers with n > 0, then a' = a/ (mod 

n), where i and j are nonnegative integers, if and only if i = j (mod ord, a). 


Proof. Suppose that i = j (mod ord,,a) and 0 < j <i. Then we havei = j +k - ord, a, 
where k is a nonnegative integer. Hence, 


ai = gi tk-ord,a pine) k 


=al(a =a/ (mod n), 
because an? = 1 (mod n). 


Conversely, assume that a! = a/ (mod n) with i > j. Because (a, n) = 1, we know 
that (a/, n) = 1. Hence, using Corollary 4.4.1, the congruence 


a =al =aia'i (mod n) 
implies, by cancellation of a/, that 
ai J=1 (mod n). 


By Theorem 9.1, it follows that ord,a divides i — j, or equivalently, i = j (mod 
ord,,@). a 
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The next example illustrates the use of Theorem 9.2. 


Example 9.5. Leta = 3 andn = 14. By Theorem 9.2, we see that 3° = 3!1 (mod 14), 
but 3? # 379 (mod 14), because #(14) = 6 and 5= 11 (mod 6) but9 420 (mod6). < 
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Given an integer n, we are interested in integers a with order modulo n equal to ¢(n), 
the largest possible order modulo n. As we will show, when such an integer exists, the 
least positive residues of its powers run through all positive integers relatively prime to 
n and less than n. 


Definition. If 7 and n are relatively prime integers with n > 0 and if ord,r = ¢(n), 
then r is called a primitive root modulo n, or a primitive root of n, and we say that n has 
a primitive root. 


Example 9.6. We have previously shown that ord73 = 6 = $(7). Consequently, 3 is a 
primitive root modulo 7. Likewise, because ord75 = 6, as can easily be verified, 5 is also 
a primitive root modulo 7. < 


Euler coined the term primitive root in 1773. His purported proof that every prime 
has a primitive root was incorrect, however. In Section 9.2, we will prove that every prime 
has a primitive root using the first correct proof of this result by Lagrange in 1769. Gauss 
also studied primitive roots extensively and provided several additional proofs that every 
prime has a primitive root. 


Not all integers have primitive roots. For instance, there are no primitive roots 
modulo 8. To see this, note that the only integers less than 8 and relatively prime to 
8 are 1, 3, 5, and 7, and ordg1 = 1, while ord g3 = ordg5 = ordg7 = 2. Because $ (8) = 4, 
there are no primitive roots modulo 8. 


Among the first 30 positive integers, 2, 3,4,5,6, 7,9, 10, 11, 13, 14, 17, 18, 
19, 22, 23, 25, 26, 27, and 29 have primitive roots, whereas 8, 12, 15, 16, 20, 21, 24, 28, 
and 30 do not. (The reader can verify this information; see Exercises 3-6 at the end of 
this section, for example.) What can we conjecture based on this evidence? In this range, 
every prime has a primitive root (as Lagrange showed), as does every power of an odd 
prime (since 9 = 3”, 25 = 5’, and 27 = 3? have primitive roots), but the only power of 2 
that has a primitive root is 4. The other integers in this range with a primitive root are 
6, 10, 14, 18, 22, and 26. What do these integers have in common? Each is 2 times an 
odd prime or power of an odd prime. Using this evidence, we conjecture that a posi- 
tive integer has a primitive root if and only if it equals 2, 4, p’, or 2p’, where p is an 
odd prime and t is a positive integer. Sections 9.2 and 9.3 are devoted to verifying this 
conjecture. 


To indicate one way in which primitive roots are useful, we give the following 
theorem. 
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Theorem 9.3. If7 and 7x are relatively prime positive integers with n > O and ifr isa 
primitive root modulo n, then the integers 


rir?,..., 7? ™ 


form a reduced residue system modulo n. 


Proof. Todemonstrate that the first (7) powers of the primitive root r form a reduced 
residue system modulo n, we need only show that they are all relatively prime to n and 
that no two are congruent modulo n. 


Because (r, n) = 1, it follows from Exercise 16 of Section 3.3 that (r*, n) = 1 for 
any positive integer k. Hence, these powers are all relatively prime to n. To show that no 
two of these powers are congruent modulo n, assume that 


r' =r/ (modn). 


By Theorem 9.2, we see that i = j (mod ord,7). Because r is a primitive root of n, 
ord,,r = ¢(n), so that this congruence is the same as i = j (mod @(n)). However, for 
1 <i < ¢(n) and 1 < j < ¢(n), the congruence i = j (mod ¢(n)) implies that i = j. 
Hence, no two of these powers are congruent modulo n. This shows that we do have a 
reduced residue system modulo n. | 


Example 9.7. By Corollary 9.1.1, we know that ordo2 | #(9) = 6. Hence, the only 
possible values for ordg2 are 1, 2, 3, and 6. Because none of 2!=2,27=4, and 27=8 
are congruent to 1 modulo 9, we conclude that ordg2 equals 6. This tells us that 2 is 
a primitive root modulo 9. So, by Theorem 9.3, the first @(9) = 6 powers of 2 form a 
reduced residue system modulo 9. These are 2! = 2 (mod 9), 27 = 4 (mod 9), 23 =8 
(mod 9), 2+ = 7 (mod 9), 2° = 5 (mod 9), and 2° = 1 (mod 9). 4 


When an integer possesses a primitive root, it usually has many primitive roots. To 
demonstrate this, we first prove the following theorem. 
Theorem 9.4. If ord, = t and if u is a positive integer, then 
ord, (a”) =t/(t, u). 


Proof. Lets = ord,(a"), v = (t, u), t =tv, and u = u,v. By Theorem 3.6, we know 
that (ty, uy) = 1; 


Because t, = t/(t, u), we want to show that ord, (a“) = t,. To do this, we will show 
that (a“)"! = 1 (mod n), so that s/t,, and that if (a“)° = 1 (mod n), then f, | s. First, note 
that 


(a")t = (a) = (a')" = 1 (mod n), 
because ord,,a = t. Hence, Theorem 9.1 tells us that s | t). 
On the other hand, because 
(a”)’ =a" = 1(modn), 


we know that t | ws. Hence, t,v | ujus and, consequently, t, | vis. Because (¢,, v1) = 1, 
using Lemma 3.4, we see that tf, | s. 
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Now, because s | t, and f, | s, we conclude that s = t; =t/v =t/(t, u). This proves 
the result. 7 


Example 9.8. By Theorem 9.4, we see that ord73* = 6/(6, 4) = 6/2 = 3, because we 
showed in Example 9.1 that ord73 = 6. < 


The following corollary of Theorem 9.4 tells us which powers of a primitive root 
are also primitive roots. 


Corollary 9.4.1. Let be a primitive root modulo n, where n is an integer, n > 1. Then 
r“ is a primitive root modulo n if and only if (u, @(n)) = 1. 


Proof. By Theorem 9.4, we know that 
ord, r" = ord, r/(u, ord,r) 
= p(n)/(u, o(n)). 


Consequently, ord,r“” = d(n), and r” is a primitive root modulo n if and only if 


(u, b(n)) = 1. 7 


This leads immediately to the following theorem. 


Theorem 9.5. If a positive integer n has a primitive root, then it has a total of 6(¢(n)) 
incongruent primitive roots. 

Proof. Letr be a primitive root modulo n. Then Theorem 9.3 tells us that the integers 
r,r2,...,r?™ form a reduced residue system modulo n. By Corollary 9.4.1, we know 
that r“ is a primitive root modulo n if and only if (u, @(n)) = 1. Because there are exactly 
@(@(n)) such integers u, there are exactly ¢(¢(n)) primitive roots modulo n. 7 


Example 9.9. Let n = 11. Note that 2 is a primitive root modulo 11 (see Exercise 5 at 
the end of this section). Because 11 has a primitive root, by Theorem 9.5 we know that 
11 has ¢(¢(11)) = 4 incongruent primitive roots. Because ¢(11) = 10, by the proof of 
Theorem 9.5 we see that we can find these primitive roots by taking the least nonnegative 
residues of 2!, 23, 2’, and 2°, which are 2, 8, 7, and 6, respectively. In other words, the 
integers 2, 6, 7, 8 form a complete set of incongruent primitive roots modulo 11. < 


EXERCISES 


. Determine the following orders. 


a) ords2 b) ord,93 c) ord,310 d) ord,g97 


. Determine the following orders. 


a) ord, ,3 b) ord,72 c) ord,,10 d) ordy59 


3. Show that ord32 = 2, ord;2 = 4, and ord 72 = 3. 
4. Show that ord,32 = 12, ord)72 = 8, and ord54,2 = 12 


5. a) Show that 5 is a primitive root of 6. 


b) Show that 2 is a primitive root of 11. 
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. Find a primitive root modulo each of the following integers. 


a) 4 c) 10 e) 14 
b) 5 d) 13 f) 18 


7. Show that the integer 12 has no primitive roots. 


8. Show that the integer 20 has no primitive roots. 


9. How many incongruent primitive roots does 14 have? Find a set of this many incongruent 


10. 


11. 
12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 
20. 


21. 


22. 


23. 


primitive roots modulo 14. 


How many incongruent primitive roots does 13 have? Find a set of this many incongruent 
primitive roots modulo 13. 


Show that if a is an inverse of a modulo n, then ord,a = ord, a. 


Show that if n is a positive integer and a and D are integers relatively prime to n such that 
(ord,,a, ord,,b) = 1, then ord, (ab) = ord, a - ord,,b. 


What can be said about ord, (ab) if a and b are integers relatively prime to n such that ord,,a 
and ord, b are not necessarily relatively prime? 


Decide whether it is true that if n is a positive integer and d is a divisor of #(n), then there is 
an integer a with ord,a = d. Give reasons for your answer. 


Show that if a is an integer relatively prime to the positive integer m and ord,,a = st, then 
ord,,a' =s. 
Show if m is a positive integer and a is an integer relatively prime to m such that ord,,a = 
m — 1, then m is prime. 
Show that r is a primitive root modulo the odd prime p if and only if r is an integer with 
(r, p) = 1 such that 

rP-)/9 % | (mod p) 


for all prime divisors g of p — 1. 


Show that if r is a primitive root modulo the positive integer m, then 7 is also a primitive root 
modulo m if 7 is an inverse of r modulo m. 


Show that ord, 2 < 2"+! where F,, = 27" + 1is the nth Fermat number. 


Let p be a prime divisor of the Fermat number F,, = 2?" + 1. 
a) Show that ord,2 = 2"*?. 
b) From part (a), conclude that 2”*! | (p — 1), so that p must be of the form 2”*'k + 1. 


Let m = a” — 1, where a and x are positive integers. Show that ord,,a =n, and conclude that 

n|p(m). 

a) Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base 2 if 
and only if ord,2 | (p — 1) and ord,2 | (q — 1). 

b) Use part (a) to decide which of the following integers are pseudoprimes to the base 2: 
13 - 67, 19-73, 23 - 89, 29 - 97. 


Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base 2 if and 
only if M,M, = (2? — 1)(27 — 1) is a pseudoprime to the base 2. 


Exercises 24 and 25 deal with a conjecture de Polignac made in 1849 that stated that for every 
odd integer k, there is a prime of the form 2” + k where n is a positive integer. 
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24. a) Show, using Exercise 3, that if n = 1 (mod 2), then 3 | 2” + 61, if n =2 (mod 4), then 
5| 2” + 61, and if n = 1 (mod 3), then 7 | 2” + 61. 
b) Conclude from part (a) that 2” + 61 is composite for all positive integers n with n 4 0 or 
8 (mod 12). 
c) Find a positive integer n for which 2” + 61 is prime, using part (b) to help. 
25. a) Use Exercises 3 and 4, together with Exercise 31 of Section 4.3, to show that if k is 
an integer with k = —2! (mod 3), k = —2? (mod 5), k = —2! (mod 7), k = —28 (mod 
13),k = —2* (mod 17), and k = —2° (mod 241), then 2” + k is composite for all positive 
integers n. 


b) Use the Chinese remainder theorem to find a positive integer k for which 2” + k is 
composite for all positive integers, disproving de Polignac’s conjecture. 


There is an iterative method known as the cycling attack for decrypting messages that were 
encrypted by an RSA cipher, without knowledge of the decrypting key. Suppose that the public 
key (e, n) used for encrypting is known, but the decrypting key (d, 7) is not. To decrypt a 
ciphertext block C, we form a sequence C), Cz, C3, ..., setting C; = C*° (mod n),0< C, <n, 
and Cj41=C% (mod n), 0 < Cj41 <n for j = 1523s ea 

26. Show that C; = C“ (mod n),0< C; <n. 


27. Show that there is an index j such that C; = C andC ,_, = P, where P is the original plaintext 
message. Show that this index j is a divisor of ordg(,)e. 


28. Let n = 47-59 and e = 17. Using iteration, find the plaintext corresponding to the ciphertext 
1504. 


(Note: This iterative method for attacking RSA ciphers is seldom successful in a reasonable 
amount of time. Moreover, the primes p and q may be chosen so that this attack is almost always 
futile. See Exercise 19 of Section 9.2.) 


Computations and Explorations 


1. Find ordsy 5792, ordsy 5793, and ordsy 5791001. 


2. Find as many integers as you can for which 2 is a primitive root. Do you think that there are 
infinitely many such integers? 


Programming Projects 


1. Find the order of a modulo m, when a and m are relatively prime positive integers. 
2. Find primitive roots when they exist. 


3. Attempt to decrypt RSA ciphers by iteration (see the preamble to Exercise 26). 


9.2 Primitive Roots for Primes 


In this and the following section, our objective is to determine which integers have 
primitive roots. In this section, we show that every prime has a primitive root. To do 
this, we first need to study polynomial congruences. 
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Let f (x) be a polynomial with integer coefficients. We say that an integer c is a root 
of f (x) modulo m if f (c) = 0 (mod m). It is easy to see that if c is aroot of f(x) modulo 
m, then every integer congruent to c modulo m is also a root. 


Example 9.10. The polynomial f(x) = x? + x + 1 has exactly two incongruent roots 
modulo 7, namely, x = 2 (mod 7) and x = 4 (mod 7). < 


Example 9.11. The polynomial g(x) = x? + 2 has no roots modulo 5. < 


Example 9.12. Fermat’s little theorem tells us that if p is prime, then the polyno- 
mial h(x) = x?—!—1 has exactly p — 1 incongruent roots modulo p, namely, x = 
1,2, 3,..., p — 1(mod p). < 


We will need the following important theorem concerning roots of polynomials 
modulo p where p is a prime. 


Theorem9.6. Lagrange’s Theorem. Let f(x) =a,x" +a,_,x" !+---+a,x +a 
be a polynomial of degree n, n > 1, with integer coefficients and with leading coefficient 
a, not divisible by p. Then f(x) has at most n incongruent roots modulo p. 


Proof. We use mathematical induction to prove the theorem. When n = 1, we have 
f(x) = a,x + ap with p J a;. A root of f(x) modulo p is a solution of the linear 
congruence a,x = —dp (mod p). By Theorem 4.10, because (a), p) = 1, this linear 
congruence has exactly one solution, so that there is exactly one root modulo p of f(x). 
Clearly, the theorem is tue for n = 1. 


Now suppose that the theorem is true for polynomials of degree n — 1, and let f (x) 
be a polynomial of degree n with leading coefficient not divisible by p. Assume that 
the polynomial f(x) has n + 1 incongruent roots modulo p, say, Cg, Cj, .. . , Cn, So that 
Ff (cx) = 0 (mod p) fork = 0, 1, ..., n. We have 

F(%) = (Cp) = ay(x" = CG) + nye"! — eg!) + +++ + a(x — Cp) 
= Ay (x — cox"! + x"-2eg +--+ none + eat) 
+ Gy_1(X — Co) (x"~? + x"Feq + + + xo + cs) 
+++++ay(x — cg) 
= (x — co)g(x), 
where g(x) is a polynomial of degree n — 1 with leading coefficient a,,. We now show 
that c), Co, ..., C, are all roots of g(x) modulo p. Let k be an integer, 1 < k < n. Because 
Ff (cx) = f (Co) = O (mod p), we have 
F (ck) — f (Co) = (&, — €0)8 (c,) = 0 (mod p). 


It follows that g(c,) =0 (mod p), because cy — co 4 0 (mod p). Hence, c;, is a root 
of g(x) modulo p. This shows that the polynomial g(x), which is of degree n — 1 and 
has a leading coefficient not divisible by p, has n incongruent roots modulo p. This 
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contradicts the induction hypothesis. Hence, f (x) must have no more than n incongruent 
roots modulo p. The induction argument is complete. | 


We use Lagrange’s theorem to prove the following result. 


Theorem 9.7. Let p be prime and let d be a divisor of p — 1. Then the polynomial 
x? — Lhas exactly d incongruent roots modulo p. 


Proof. Let p — 1=de. Then 
xP = (x4 = 1) (xd-D = xd (e—2) seins 4+ x4 ae 1) 
= (x7 — 1)g(x). 


From Fermat’s little theorem, we see that x?—! — 1 has p — 1 incongruent roots modulo 
p. Furthermore, any root of x?~! — 1 modulo p is either a root of x? — 1 modulo p ora 
root of g(x) modulo p. 


Lagrange’s theorem tells us that g(x) has at most d(e — 1) = p — d — 1roots modulo 
p. Because every root of x?~!— 1 modulo p that is not a root of g(x) modulo p 
must be a root of x? — 1 modulo p, we know that the polynomial x? — 1 has at least 
(p — 1) — (p —d — 1) =d incongruent roots modulo p. On the other hand, Lagrange’s 
theorem tells us that it has at most d incongruent roots modulo p. Consequently, x? — 1 
has precisely d incongruent roots modulo p. a 


Theorem 9.7 can be used to prove a useful result that tells us how many incongruent 
integers have a given order modulo p. Before proving this result, we present a lemma 
needed for its proof. 


Lemma 9.1. Let p be a prime and let d be a positive divisor of p — 1. Then the number 
of positive integers less than p of order d modulo p does not exceed ¢(d). 


Proof. For each positive integer d dividing p — 1, let F(d) denote the number of 
positive integers of order d modulo p that are less than p. 


If F(d) = 0, it is clear that F(d) < $(d). Otherwise, there is an integer a of order 
d modulo p. Because ord,,a = d, the integers 


are incongruent modulo p. Furthermore, each of these powers of a is a root of x? — 1 
modulo p, because (a*)4 = (a?)* = 1 (mod P) for all positive integers k. By Theorem 
9.7, we know thatx? — 1 has exactly d incongruent roots modulo p, so every root modulo 
p is congruent to one of these powers of a. 


Now, by Theorem 9.4, we know that the powers of a with order d are those of the 
form a‘ with (k, d) = 1. There are exactly @(d) such integers k with 1<k <d, and 
consequently, if there is one element of order d modulo p, there must be exactly ¢(d) 
such positive integers less than p. Hence, F(d) < $(d). = 


We now can determine how many incongruent integers can have a given order 
modulo p. 


9.2 Primitive Roots for Primes 357 


Theorem 9.8. Let p bea prime and let d be a positive divisor of p — 1. Then the number 
of incongruent integers of order d modulo p is equal to ¢(d). 


Proof. For each positive integer d dividing p — 1, let F(d) denote the number of 
positive integers of order d modulo p that are less than p. Because the order modulo 
p Of an integer not divisible by p divides p — 1, it follows that 


p-1=)° F@). 
d|p—1 
By Theorem 7.7, we know that 
p-1= > ¢(). 
d|p—1 


By Lemma9.1, F(d) < @(d) whend | (p — 1). This inequality, together withthe equality 


> F@= >> ¢@), 


d|p—1 d|p—1 
implies that F (d) = ¢(d) for each positive divisor d of p — 1. 


Therefore, we can conclude that F (d) = ¢(d), which tells us that there are precisely 
¢(d) incongruent integers of order d modulo p. a 


The following corollary is derived immediately from Theorem 9.8. 


Corollary 9.8.1. Every prime has a primitive root. 


Proof. Let p be a prime. By Theorem 9.8, we know that there are #(p — 1) incongruent 
integers of order p — 1 modulo p. Because each of these is, by definition, a primitive 
root, p has @(p — 1) primitive roots. 7 


Note that Corollary 9.8.1 provides a nonconstructive existence proof of primitive 
roots modulo a prime. The smallest positive primitive root of each prime less than 1000 
is given in Table 3 of Appendix E; looking at the table, we see that 2 is the least primitive 
root of many primes p. Is 2 a primitive root for infinitely many primes? The answer to 
this question is not known, and it is also unknown when we replace 2 by an integer other 
than +1 ora perfect square. Evidence suggests the truth of the following conjecture made 
by Emil Artin. 


Artin’s conjecture. The integer a is a primitive root of infinitely many primes if 
a # +1 and a is not a perfect square. 


Although Artin’s conjecture has not been settled, there are some interesting partial 
results. For example, one consequence of work by Roger Heath-Brown is that there are 
at most two primes and three positive square-free integers a such that a is a primitive 
root of only finitely many primes. One implication of this work is that at least one of the 
integers 2, 3, and 5 is a primitive root for infinitely many primes. 
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Many mathematicians have studied the problem of determining bounds on g,, the 
smallest primitive root for a prime p. Among the results that have been proved are that 


8p > C log p 


for some constant C and infinitely many primes p. This result, proved by Fridlender (in 
1949), and independently by Salié (in 1950), shows that there are infinitely many primes 
where the least primitive root is larger than any particular positive integer. However, 
8p does not grow very quickly. Grosswald showed (in 1981) that if p is a prime with 


p> ee, then g, < p49. Another interesting result, proved in the problems section of 
the American Mathematical Monthly in 1984, is that for every positive integer M, there 


are infinitely many primes p such that M<g,<p—M. 


EXERCISES 


. Find the number of incongment roots modulo 11 of each of the following polynomials. 


a) x? +2 b) x? +10 c)xe+x2742x4+2 d)xtt+x74+1 
. Find the number of incongruent roots modulo 13 of each of the following polynomials. 
a)x?+1 b)x2+3x+2 c)x34+12 d)x*4+x?74+x4+1 
. Find the number of primitive roots of each of the following primes. 
a) 7 c) 17 e) 29 
b) 13 d) 19 f) 47 


. Find acomplete set of incongruent primitive roots of 7. 
. Find a complete set of incongruent primitive roots of 13. 
. Find a complete set of incongruent primitive roots of 17. 


EMIL ARTIN (1898-1962) was born in Vienna, Austria. He served in the 
Austrian army during World War I. In 1921, he received a Ph.D. from the 
University of Leipzig, which he attended both as an undergraduate and as a 
graduate student. He attended the University of Gottingen from 1922 until 1923. 
In 1923, he was appointed to a position at the University of Hamburg. Artin was 
forced to leave Germany in 1937 as a result of Nazi regulations because his wife 
was Jewish, although he was not. He emigrated to the United States, where he 
taughtat Notre Dame University (1937-1938), Indiana University (1938-1946), 


and Princeton University (1946-1958). He returved to Germany, talaing a position at the University 
of Hamburg, in 1958. 

Artin made major contributions to several areas of abstract algebra, including ring theory and 
proup theory. He also invented the concept of braid structures, defined using the concept of strings 
woven to form braids, now studied by topologists and algebraists. Artin made major contributions to 
both analytic and algebraic number theory, beginning with his research involving quadratic fields. 

Artin excelled as a teacher and advisor of students. He was also a talented musician who played 
the harpsichord, clavichord, and flute and was a devotee of old music. 
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7. Find a complete set of incongruent primitive roots of 19. 


10. 


11. 


12. 


13. 


14. 


18. 


. Let r be a primitive root of the prime p with p = 1 (mod 4). Show that —r is also a primitive 


root. 


. Show that if p is a prime and p = 1 (mod 4), then there is an integer x such that x? = — 


(mod p). (Hint: Use Theorem 9.8 to show that there is an integer x of order 4 modulo p.) 


a) Find the number of incongruent roots modulo 6 of the polynomial x? — x. 
b) Explain why the answer to part (a) does not contradict Lagrange’s theorem. 


a) Use Lagrange’s theorem to show that if p is a prime and f(x) is a polynomial of degree n 
with integer coefficients and more than roots modulo p, then p divides every coefficient 
of f(x). 

b) Let p be prime. Using part (a), show that every coefficient of the polynomial f(x) = 
(x — 1I)(x — 2)--- (x — p+ 1) — x?! +4 1is divisible by p. 

c) Using part (b), give a proof of Wilson’s theorem (Theorem 6.1). (Hint: Consider the 
constant term of f(x).) 


Find the least positive residue of the product of a set of @(p — 1) incongruent primitive roots 
modulo a prime p. 

A systematic method for constructing a primitive root modulo a prime p is outlined in 
this problem. Let the prime factorization of ¢(p) = p— 1be p—1= qi'qy -++q'r, where 
41: 92. +++» G, are prime. 


a) Use Theorem 9.8 to show that there are integers a), a2, ..., a, such that ord,a, = qi. 
ord, a2 = qx, ..., ord,a, = qi. 


b) Use Exercise 10 of Section 9.1 to show that a = aja) - - - a, is a primitive root modulo p. 
c) Follow the procedure outlined in parts (a) and (b) to find a primitive root modulo 29. 


Suppose that the composite positive integer n has prime-power factorization n = Pi Py + 


pe. Show that the number of incongruent bases modulo n for which n is a pseudoprime to 
that base is []’._,(n — 1, pj — 1). 


. Use Exercise 14 to show that every odd composite integer that is not a power of 3 is a 


pseudoprime to at least two bases other than +1. 


. Show that if p is prime and p = 2q + 1, where q is an odd prime and a is a positive integer 


2 


with 1 < a < p —1, then p — a“ is a primitive root modulo p. 


. a) Suppose that f(x) is a polynomial with integer coefficients of degree n — 1. Let x1, x9, 


..., X, ben incongruent integers modulo p. Show that for all integers x, the congruence 


n n 
F(x) = YF £0) []@ — 21); — x) (mod p) 
j=l i=1 
ifj 
holds, where x; — x; is an inverse of x ; — x; modulo p. This technique for finding f(x) 
modulo p is called Lagrange interpolation. 
b) Find the least positive residue of f (5) modulo 11 if f(x) is a polynomial of degree 3 with 
f(D) =8, f(2) =2, and f (3) =4 (mod 11). 


In this exercise, we develop a threshold scheme for protection of master keys in a computer 
system, different from the scheme discussed in Section 8.6. Let f(x) be a randomly chosen 
polynomial of degree r — 1, with the condition that K, the master key, is the constant term of 
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the polynomial. Let p be a prime, such that p > K and p > s. The s shadows ky, ky, ..., ks 
are computed by finding the least positive residue of f(x;) modulo p for j =1,2,...,5, 
where x1, X2, ..., X, are randomly chosen integers incongruent modulo p; that is, 


for j =1,2,...,5. 

a) Use Lagrange interpolation, described in Exercise 17, to show that the master key K can 
be determined from any r shadows. 

b) Show that the master key K cannot be determined from fewer than r shadows. 

c) Let K = 33, p=47,r =4, and s =7. Let f(x) =4x3+ x? + 31x + 33. Find the seven 
shadows corresponding to the values of f(x) at 1, 2, 3, 4, 5, 6, 7. 

d) Show how to find the master key from the four shadows f (1), f (2), f(3), and f(4). 

Show that an RSA cipher with encrypting modulus n = pg is resistant to the cycling attack 


(see the preamble to Exercise 26 of Section 9.1) if p — 1 and gq — 1 have large prime factors 
p’ and q’, respectively, and p’ — 1 and q’ — 1 have large prime factors p” and q”, respectively. 


Computations and Explorations 


1, 
2. 


Find the least primitive root for each of the primes 10,007, 10,009, and 10,037. 


Erdés has asked whether for each sufficiently large prime p there is a prime q for which q is a 
primitive root of p. What evidence can you find for this conjecture? For which small primes 
p is the statement in the conjecture false? 


Programming Projects 


1. 
2. 


Given a prime p, use Exercise 13 to find a primitive root of p. 


Implement the threshold scheme given in Exercise 18. 


9.3 The Existence of Primitive Roots 


In the previous section, we showed that every prime has a primitive root. In this section, 
we will find all positive integers having primitive roots. First, we will show that every 
power of an odd prime possesses a primitive root. 


Primitive Roots Modulo p?, p Prime The first step in showing that every power of 
an odd prime has a primitive root is to show that every square of an odd prime has a 
primitive root. 


Theorem 9.9. If p is an odd prime with primitive root 7, then either r orr + p isa 
primitive root modulo p?. 


Proof. Because r is a primitive root modulo p, we know that 


ord,r = $(p)=p—1. 
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Let n = ord p21, SO that 
r™ = 1(mod p?). 
Because a congruence modulo p* obviously holds modulo p, we have 
r” = 1 (mod p). 
By Theorem 9.1, because p — 1= ord,r, it follows that 
p-—l1|n. 
On the other hand, Corollary 9.1.1 tells us that 
n| (p”). 


Because $(p”) = p(p — 1), this implies that n | p(p — 1). Because n | p(p — 1) and 
p—1|n, eithern = p — lorn= p(p — 1). Ifn = p(p — 1D), then r is a primitive root 
modulo p”, because ord 2 r = o( p”). Otherwise, we have n = p — 1, so that 


(9.1) rP—! = 1 (mod p”). 


Let s =r -+ p. Then, because s =r (mod p), s is also a primitive root modulo p. 
Hence, ord ,2 s equals either p — 1 or p(p — 1). We will show that ord ,2 s=p(p- 1) 
by eliminating the possibility that ord,2 s = p — 1. 


To show that ord psFp—l, first note that by the binomial theorem we have 
sP1 = (r + p)P Thar?! + (p—DrP p+ @ x rep? tev pho 
=rPl+(p— l)p- r?—? (mod p’). 
Hence, using (9.1), we see that 
sP-1=14(p—l)p-r?-? =1- pr? (mod p’). 
From this last congruence, we can show that 
s?-! 4 1 (mod p?). 


To see this, note that if s?—! = 1 (mod p?), then pr?~? = 0 (mod p?). This last congru- 
ence implies that r?~* = 0 (mod p), which is impossible because p / r (remember that 
r is a primitive root of p). 


Because ord,,2 s # p — 1, we can conclude that ord,2 s = p(p — lI) = o( p*). Con- 
sequently, s =r + p is a primitive root of p?. 7 
Example 9.13. The prime p = 7 hasr = 3 as a primitive root. Using observations made 
in the proof of Theorem 9.9, either ord493 = 6 or ordy93 = 42. However, 

rP—! — 3° + 1 (mod 49). 


It follows that ord493 = 42. Hence, 3 is also a primitive root of p? = 49. < 
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We note that it is extremely rare for the congruence 
r?-! = 1 (mod p?) 


to hold when r is a primitive root modulo the prime p withr < p. Consequently, itis very 
seldom that a primitive root r modulo the prime p is not also a primitive root modulo 
p?. When this occurs, Theorem 9.9 tells us that r + p is a primitive root modulo p?. The 
following example illustrates this. 
Example 9.14. Let p = 487. For the primitive root 10 modulo 487, we have 

10486 = 1 (mod 4877). 
Hence, 10 is not a primitive root modulo 4872 but, by Theorem 9.9, we know that 


497 = 10 + 487 is a primitive root modulo 487°. < 


Primitive Roots Modulo p*, p Prime and k a Positive Integer Next, we show that 
arbitrary powers of odd primes have primitive roots. 


Theorem 9.10. Let p be an odd prime. Then p* has a primitive root for all positive 
integers k. Moreover, if r is a primitive root modulo p?, then r is a primitive root modulo 
p*, for all positive integers k. 


Proof. By Theorem 9.9, we know that p has a primitive root 7 that is also a primitive 
root modulo p’, so that 


(9.2) r?-! £1 (mod p?). 

Using mathematical induction, we will prove that for this primitive root r, 
(9.3) rP(P-) & 1 (mod p*) 

for all positive integers k, k > 2. 


Once we have established this incongruence, we can show that r is also a primitive 
root modulo p* by the following reasoning. Let 


n= ord 5 r. 


By Corollary 9.1.1, we know that n | @(p*). By Theorem 7.3, we have @(p*) = p*—!(p — 
1). Hence, n | p*(p — 1). On the other hand, because 


r” = 1(mod p*), 
we also know that 
r” = 1 (mod p). 


Because r is a primitive root modulo p, we have ord,r = ¢(p). By Theorem 7.2, we 
know that ¢(p) = p — 1. It follows that ord ,r = p — 1. Therefore, by Theorem 9.1, we 
see that p — 1|n. 
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Because p — 1|n, andn | p*—!(p — 1), we know that n = p’(p — 1), where t is an 
integer such thatO <t <k — 1. Ift <k — 2, then 


ge pal) (PD) = 1(mod p‘), 


which would contradict (9.3). Hence, ord tr = p*—(p — 1) = @(p*). Consequently, r 
is also a primitive root modulo p*. 


All that remains is to prove (9.3) using mathematical induction. The case of k = 2 
follows from (9.2). Let us assume that the assertion is true for the positive integer k > 2. 
Then 


rP* *(P—) & 1 (mod p*). 


Because (7, p) = 1, we know that (7, pF} = 1. Consequently, from Euler’s theorem, 
we know that 


Pe *(P-1) — pO) = 1 (mod p*-}), 
Therefore, there is an integer d such that 


pe 7(p-1) = 1+ dp*}, 


where p J d, because by hypothesis Pt (p-1) # 1(mod p*). We take the pth power 
of both sides of the above equation to obtain, via the binomial theorem and using the 
hypothesis that p is odd, 


appa) =(1+ dp*—')P 
= 1+ p(dp*") + @ dp’)? +--+ dp lyP 
= 1+ dp* (mod p*+}), 
Because p J d, we can conclude that 
pe (p-l) # 1(mod p¥*), 
This completes the proof by induction. rT 
Example 9.15. By Example 9.13, we know that r = 3 is a primitive root modulo 7 and 


7. Hence, Theorem 9.10 tells us that r = 3 is also a primitive root modulo 7 for all 
positive integers k. < 


Primitive Roots and Powers of 2 It is now time to discuss whether there are primitive 
roots modulo powers of 2. We first note that both 2 and 2” = 4 have primitive roots, 
namely, 1 and 3, respectively. For higher powers of 2, the situation is different, as the 
following theorem shows; there are no primitive roots modulo these powers of 2. 
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Theorem 9.11. If a is an odd integer and k is an integer with k > 3, then 
a? (2/2 — g2** = 1 (mod 2), 


Proof. We prove this result using mathematical induction. Suppose that a is an odd 
integer. We can prove that it is true fork = 3 as follows. By Exercise 5 of Section 4.1, 
we have 


a” = 1(mod 8). 
This is the desired congruence when k = 3 because (23) = 4. 
Now, to complete the induction argument, let us assume that 

a” =1(mod 2"), 
Then there is an integer d such that 

a =14d-2. 
Squaring both sides of the above equality, we obtain 

a =14 dot + g?Q. 
This yields 
a” =1 (mod 2**}), 

which completes the induction argument. : 


We can conclude by Theorem 9.11 that no power of 2, other than 2 and 4, has a 
primitive root. To see this, note that when a is an odd integer, ord.a 4 @ (2*), because 


a? (2)/2 = 1 (mod 2). 


Even though there are no primitive roots modulo 2* for k > 3, there always is an 
element of largest possible order, namely, (2")/2, as the following theorem shows. 


Theorem 9.12. Let k > 3 be an integer. Then 
ord se 5 = @(2*)/2 = 2*-?, 
Proof. Theorem 9.11 tells us that 
5° = 1 (mod 24), 


for k > 3. By Theorem 9.1, we see that ord: 5 | 2-2. Therefore, if we show that 
ordy. 5 2k-3 we can conclude that 


ord. 5 = 2*-?, 


To show that ord: 5 / 2k-3 we will prove by mathematical induction that, for k > 3, 


5° = 142-12 1 (mod 2H). 
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For k = 3, we have 
5=1+4 (mod 8). 
Now, we assume that 
5° = 14 24-1 (mod 24), 
This means that there is an integer d such that 
54° = 1+ 24-1) + at, 


Squaring both sides, we find that 


k-2 


57 (1 Fo po od" aay, 


so that 
5 (1+ 22 = 14 DE 4 2? = 14 2 (mod 24), 
This completes the induction argument and shows that 


ord: 5 = 6(2*)/2. 


Primitive Roots Modulo Integers Not Prime Powers We have now demonstrated 
that all powers of odd primes possess primitive roots, while the only powers of 2 having 
primitive roots are 2 and 4. Next, we determine which integers not powers of primes— 
that is, those integers divisible by two or more primes—have primitive roots. We will 
demonstrate that the only positive integers not powers of primes that possess primitive 
roots are twice powers of odd primes. 


We first narrow the set of positive integers that we must consider with the following 
result. 
Theorem 9.13. If 1 is a positive integer that is not a prime power or twice a prime 


power, then 7 does not have a primitive root. 


Proof. Letn be a positive integer with prime-power factorization 


yt 


n= Py Py * +: pm. 


Let us assume that the integer n has a primitive root 7. This means that (7, n) = 1 
and ord, = @(n). Because (r, n) = 1, we know that (r, p’) = 1, whenever p’ is one of 
the prime powers occurring in the factorization of n. By Euler’s theorem, we know that 


7?) = 1 (mod p’). 
Now, let U be the least common multiple of ¢( P}), o( p?), 222, OC pt), that is, 


U =[¢(p)), (p32), ---, o(p™)). 
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Because ¢ ( Pi) | U, we know that 

U = 1 (mod p;') 
fori = 1, 2,..., m. Using Theorem 4.8, it now follows that 

Y’ =1(mod n), 
which implies that 

ord, 7 = o(n) < U. 
By Theorem 7.4, because @ is multiplicative, we have 
$(n) = (pi Py +> Pit) = (P10 (P2) --- (PR). 
This formula for @(n) and the inequality @(n) < U imply that 
¢(P})b(p}) --- o(pit) < [0 (p}), O(pP), ---, O(P™)1- 


Because the product of a set of integers is less than or equal to their least common 
multiple only if the integers are pairwise relatively prime (and then the “less than or 
equal to” relation is really just an equality), the integers o(p}), o(p; ae ., (pn ) 
must be pairwise relatively prime. 


We note that @(p’) = p’~ ‘P — I), sO me is even if p is odd, or if p = 2 and 


t > 2. Hence, the numbers di ( P?) o( P; Neva Ol pir) are not pairwise relatively prime 
unless m = 1 and n is a prime power, or m = 2 and n = 2p’, where p is an odd prime 
and ¢ is a positive integer. rT] 


We have now limited our consideration to integers of the form n = 2p’, where p is 
an odd prime and ¢ is a positive integer. We now show that all such integers have primitive 
roots. 


Theorem 9.14. If p is an odd prime and t is a positive integer, then 2p’ possesses a 
primitive root. In fact, if r is a primitive root modulo p’, then if r is odd, it is also a 
primitive root modulo 2p‘; whereas if r is even, then r + p’ is a primitive root modulo 


2p. 
Proof. If r is a primitive root modulo p’, then 


r?(P") = 1 (mod p’), 
and no positive exponent smaller than ¢(p’) has this property. By Theorem 7.4, we note 
that $(2p') = $(2)6(p') = 6(p'), so that r®@P") = 1 (mod p'). 
If r is odd, then 
r?2P') = | (mod 2). 


Thus, by Corollary 4.8.1, we see that r?2P") = 1 (mod 2p’). No smaller power of r 
is congruent to 1 modulo 2p’. Such a power would also be congruent to 1 modulo p’, 
contradicting the assumption that r is a primitive root of p’ . It follows that r is a primitive 
root modulo 2p’. 
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On the other hand, if r is even, then r + p’ is odd. Hence, 
(r + p')?@P) = 1 (mod 2). 
Because r + p’ =r (mod p’), we see that 
(r + p')?CP) = 1 (mod p'). 


Therefore, (r + pt)e@r') = 1 (mod 2p’), and as no smaller power of r + p’ is congruent 
to 1 modulo 2p’, we see that r + p’ is a primitive root modulo 2p’. = 


Example 9.16. Earlier in this section we showed that 3 is a primitive root modulo 7’ 
for all positive integers t. Hence, because 3 is odd, Theorem 9.14 tells us that 3 is also a 
primitive root modulo 2 - 7’ for all positive integers ¢. For instance, 3 is a primitive root 
modulo 14. 


Similarly, we know that 2 is a primitive root modulo 5’ for all positive integers f. 
Because 2 + 5‘ is odd, Theorem 9.14 tells us that 2 + 5‘ is a primitive root modulo 2 - 5’ 
for all positive integers t. For example, 27 is a primitive root modulo 50. < 


Putting Everything Together Combining Corollary 9.8.1 and Theorems 9.10, 9.11, 
9.13, and 9.14, we can now describe which positive integers have a primitive root. 


Theorem 9.15. The positive integer n, n > 1, possesses a primitive root if and only if 
n=2,4, p’, or2p’, 


where p is an odd prime and t is a positive integer. 


EXERCISES 


. Which of the integers 4, 10, 16, 22, and 28 have a primitive root? 
2. Which of the integers 8, 9, 12, 26, 27, 31, and 33 have a primitive root? 


. Find a primitive root modulo each of the following moduli. 


a) 32 b) 5? c) 232 d) 292 


. Find a primitive root modulo each of the following moduli. 


a) 112 b) 132 c) 172 d) 192 


. Find a primitive root for all positive integers k modulo each of the following moduli. 


a) 3* b) 11* c) 13% d) 17% 


. Find a primitive root for all positive integers k modulo each of the following moduli. 


a) 23* b) 29% c) 31* d) 37% 


. Find a primitive root modulo each of the following moduli. 


a) 10 b) 34 c) 38 d) 50 


. Find a primitive root modulo each of the following moduli. 


a) 6 b) 18 c) 26 d) 338 
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. Find all the primitive roots modulo 22. 
. Find all the primitive roots modulo 25. 
. Find all the primitive roots modulo 38. 


. Show that there are the same number of primitive roots modulo 2p’ as there are modulo p’, 


where p is an odd prime and t is a positive integer. 


. Show that the integer m has a primitive root if and only if the only solutions of the congruence 


x* = 1(mod m) are x = +1 (mod m). 


. Let n be a positive integer possessing a primitive root. Using this primitive root, prove that 


the product of all positive integers less than n and relatively prime to n is congruent to —1 
modulo n. (When n is prime, this result is Wilson’s theorem (Theorem 6.1).) 


. Show that although there are no primitive roots modulo 2* where k is an integer, k > 3, every 


odd integer is congruent modulo 2” to exactly one of the integers (— 1)*5°, where a = 0 or 1 
and f is an integer satisfying 0 < B < 2*-? — 1. 


Find the smallest odd prime p that has a primitive root 7 that is not also a primitive root 
modulo p?. 


Computations and Explorations 


1. 


Find as many examples as you can where r is a primitive root of the prime p but r is not a 
primitive root of p*. Can you make any conjectures about how often this occurs? 


Programming Projects 


1. 
2. 


Find primitive roots modulo powers of odd primes. 


Find primitive roots modulo twice powers of odd primes. 


9.4 Discrete Logarithms and Index Arithmetic 


In this section, we demonstrate how primitive roots may be used to do modular arithmetic. 
Letr be a primitive root modulo the positive integer m (so that m is of the form described 
in Theorem 9.15). By Theorem 9.3, we know that the integers 


r,77, 7, ...,r?™ 


form a reduced system of residues modulo m. From this fact, we see that if a is an integer 
relatively prime to m, then there is a unique integer x with 1 < x < ¢(m) such that 


r* =a (mod m). 
This leads to the following definition. 
Definition. Let m be a positive integer with primitive root 7, and let a be a positive 


integer with (a, m) = 1. The unique integer x with 1 < x < ¢(m) and r* =a (mod m) 
is called the index (or discrete logarithm) of a to the base r modulo m and is denoted by 
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ind,a, where we do not indicate the modulus m in the notation, as we assume it to be 
fixed. 


From the definition, we see that ri"4- = a (mod m). We also observe that if a and b are 
integers relatively prime to m, then a = b (mod m) if and only if ind,a = ind,b. 


Indices share many properties of logarithms, but with equalities replaced with 
congruences modulo @(m) (that is why they are called discrete logarithms). 


Example 9.17. Let m =7. We have seen that 3 is a primitive root modulo 7 and that 
3! = 3 (mod 7), 3? = 2 (mod 7), 3? = 6 (mod 7), 3* = 4 (mod 7), 3° = 5 (mod 5), and 
3° = 1 (mod 7). 
Hence, modulo 7, we have 

ind31 = 6, ind32 = 2, ind33 = 1, 

ind34 = 4, ind35 = 5, ind36 = 3. 
With a different primitive root modulo 7, we obtain a different set of indices. For instance, 
calculations show that with respect to the primitive root 5, 

ind;1 = 6, ind,2 = 4, ind;3 = 5, 

ind,4 = 2, ind<5 = 1, ind,6 = 3. < 
Properties of Indices We now develop properties of indices, modulo m similar to 
those of logarithms, but instead of equalities, we have congruences modulo ¢(m). 


Theorem 9.16. Let m be a positive integer with primitive root 7, and let a and b be 
integers relatively prime to m. Then 


(i) indl=0 (mod ¢(m)), 
Gi) ind,(ab) = ind,a + ind,b (mod 6(m)), 
(iii) ind,a* =k -ind,a (mod ¢(m)) if k is a positive integer. 
Proof of (i). From Euler’s theorem, we know that r?“) = 1 (mod m). Because r is a 


primitive root modulo m, no smaller positive power of r is congruent to 1 modulo m. 
Hence, ind,1 = ¢(m) = 0 (mod ¢(m)). 
Proof of (ii). To prove this congruence, note that from the definition of indices, 
rind, (ab) — gp (mod m) 
and 
yindatind,b — ,ind,a | ,ind,b — ap (mod m). 
Hence, 


rind, (ab) = yind,a+ind,b (mod m). 
Using Theorem 9.2, we conclude that 


ind,(ab) = ind,a + ind,b (mod ¢(m)). 
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Proof of (iii). To prove the congruence of interest, first note that by definition, we have 
yind,a® — gk (mod m) 

and 

pkrind,a — (yind,ayk (mod m). 
Hence, 

yind,a* = pk-ind,a (mod m). 
Using Theorem 9.2, this leads us immediately to the congruence we want, namely, 
ind,a* =k - ind,a (mod @(m)). - 
Example 9.18. From the previous examples, we see that, modulo 7, inds;2 = 4 and 
inds3 = 5. Because (7) = 6, part (ii) of Theorem 9.16 tells us that 
ind56 = inds(2 - 3) = ind;2 + inds3 = 4+ 5= 9 = 3 (mod 6). 
Note that this agrees with the value previously found for ind.6. 
From part (iii) of Theorem 9.16, we see that 
ind;3* =4 - ind33 =4 -5 = 20 =2 (mod 6). 

Note that direct computation gives the same result, because 

ind;3* = inds81 = ind,4 = 2. < 


Indices are helpful in the solution of certain types of congruences. Consider the 
following examples. 


Example 9.19. We will use indices to solve the congruence 6x!? = 11 (mod 17). We 
find that 3 is a primitive root of 17 (because 3° = —1 (mod 17)). The indices of integers 
to the base 3 modulo 17 are given in Table 9.1. 


} a ji1{2]3]4/5/6 | 7] 8 | 9] 10/11 | 12] 13 | 14] 15 | 16 | 


| ind3a 16 | 14} 1) 12,5) 15 |] 11 | 10 | 2) 3 7 | 13 | 4 9 6 3 | 


Table 9.1 Indices to the base 3 modulo 17. 


Taking the index of each side of the congruence to the base 3 modulo 17, we obtain 
a congruence modulo ¢(17) = 16, namely, 


ind,(6x!*) = ind311 = 7 (mod 16). 
Using parts (ii) and (iii) of Theorem 9.16, we obtain 
ind,(6x!*) = ind36 + ind3(x!”) = 15+ 12 - ind3x (mod 16). 
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Hence, 
15 + 12 - ind3x =7 (mod 16) 
or 
12 - ind3x = 8 (mod 16). 
From this congruence, it follows (as the reader should show) that 
ind3x = 2 (mod 4). 

Hence, 

ind3x = 2, 6, 10, or 14 (mod 16). 
Consequently, from the definition of indices, we find that 

x = 32, 3°, 3! or 3!4 (mod 17). 


(Note that this congruence holds modulo 17). Because 32 = 9, 39=15, 3°=8 and 
314 = 2 (mod 17), we conclude that 


x =9, 15, 8, or 2 (mod 17). 


Because each step in the computations is reversible, there are four incongruent solutions 
of the original congruence modulo 17. < 


Example 9.20. We wish to find all solutions of the congruence 7* = 6 (mod 17). When 
we take indices to the base 3 modulo 17 of both sides of this congruence, we find that 


ind3(7*) = ind36 = 15 (mod 16). 
By part (iii) of Theorem 9.16, we obtain 
ind3(7*) = x -ind37 = 11x (mod 16). 
Hence, 
11x = 15 (mod 16). 


Because 3 is an inverse of 11 modulo 16, we multiply both sides of the linear congruence 
above by 3, to find that 


x =3-15=45 = 13 (mod 16). 
All steps in this computation are reversible. Therefore, the solutions of 
T’ = 6 (mod 17) 
are given by 


x = 13 (mod 16). < 
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The Difficulty of Finding Discrete Logarithms 


Given a prime p and a primitive root r, the problem of finding the index (discrete 
logarithm) of an integer a to the base r modulo p is called the discrete logarithm problem. 
This problem is believed to be as computationally difficult as that of factoring integers. 
For this reason, it has been used as the basis for several public key cryptosystems, such as 
the ElGamal cryptosystem discussed in Section 10.2, and protocols, such as the Diffie- 
Hellman key agreement scheme discussed in Section 8.3. With the growing importance 
of the discrete logarithm problem in cryptography, a great deal of research has been 
devoted to constructing efficient algorithms for computing discrete logarithms. The most 
efficient algorithm known for computing discrete logarithms is the number-field sieve 
method, which requires approximately the same number of bit operations to find discrete 
logarithms modulo a prime p as it would to factor a composite number of about the same 
size as p. To determine how long it takes to solve the discrete logarithm problem modulo 
a prime p, consult Table 3.2, which shows how long it takes to factor an integer n of the 
same number of decimal digits as p. For more information about the discrete logarithm 
problem, and algorithms for solving it, consult [MevaVa97] and the many references 
cited there. 


Power Residues 


Indices are also helpful for studying congruences of the form x* = a (mod m), where m is 
a positive integer with a primitive root and (a, m) = 1. Before we study such congruences, 
we present a definition. 


Definition. Ifm and k are positive integers and a is an integer relatively prime to m, 


then we say that a is a kth power residue of m if the congruence x* = a (mod m) has a 


solution. 


When m is an integer possessing a primitive root, the following theorem gives a 
useful criterion for an integer a relatively prime to m to be a kth power residue of m. 


Theorem 9.17. Let m be a positive integer with a primitive root. If k is a positive 
integer and a is an integer relatively prime to m, then the congruence x* = a (mod m) 
has a solution if and only if 


a?™)/4 — 1 (mod m), 


where d = (k, #(m)). Furthermore, if there are solutions of x* = a (mod m), then there 
are exactly d incongruent solutions modulo m. 


Proof. Letr be a primitive root of m. We note that the congruence 


x*=a (mod m) 


holds if and only if the indices to the base r of the two sides of this congruence are 
congruent modulo ¢(m). Consequently, the previous congruence holds if and only if 


(9.4) k - ind,x = ind,a (mod ¢(m)). 
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Now let d = (k, @(m)) and y = ind,x, so that x =r” (mod m). By Theorem 4.10, we 
note that if d ¥ ind,a, then the linear congruence 


(9.5) ky = ind,a (mod $(m)) 


has no solutions and, hence, there are no integers x satisfying (9.4). If d | ind,a, then 
there are exactly d integers y incongruent modulo ¢(m) such that (9.5) holds and, hence, 
exactly d integers x incongruent modulo m such that (9.4) holds. Because d | ind,a if 
and only if 


(¢(m)/d)ind,a = 0 (mod ¢(m)), 
and this congruence holds if and only if 
a?™)/4 = | (mod m), 
the theorem is true. 7 


We note that Theorem 9.17 tells us that if p is a prime, k is a positive integer, and a 
is an integer relatively prime to p, then a is a kth power residue of p if and only if 


a‘?—)/4 = 1 (mod p), 


where d = (k, p — 1). We illustrate this observation with an example. 


Example 9.21. To determine whether 5 is a sixth power residue of 17, that is, whether 
the congruence 
x® = 5 (mod 17) 
has a solution, we determine that 
516/(6,16) _ 58 = _1 (mod 17). 
Hence, 5 is not a sixth power residue of 17. < 


A table of indices with respect to the least primitive root modulo each prime less 
than 100 is given in Table 4 of Appendix E. 


Proving Theorem 6.10 This proof of Theorem 6.10 is quite long and complicated, 
but is based only on results already established. We present this proof to give the reader 
an indication that even elementary proofs can be difficult to create and hard to follow. As 
you read this proof, follow each part carefully and check each separate case. We restate 
Theorem 6.10 for convenience. 


Theorem 6.10. If is an odd composite positive integer, then n passes Miller’s test for 
at most (n — 1)/4 bases b with 1 <b<n-1. 


We need the following lemma in the proof. 


Lemma 9.2. Let p be an odd prime and let e and q be positive integers. Then the number 
of incongruent solutions of the congruence x? = 1 (mod p*) is (q, p*° —l(p — 1)). 
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Proof. Let r be a primitive root of p*’. By taking indices with respect to r, we see 
that x? = 1 (mod p%) if and only if gy =0 (mod $(p*)), where y = ind,x. Using 
Theorem 4.10, we see that there are exactly (¢, ¢(p*%)) incongruent solutions of gy = 
0 (mod ¢(p*)). Consequently, there are (q, @(p*)) = (q, p? \(p -D) incongruent so- 
lutions of x? = 1 (mod p‘*). 7 


We now proceed with a proof of Theorem 6.10. 


Proof. Let n — 1=2't, where s is a positive integer and ¢ is an odd positive integer. 
For n of Theorem 6.10 to be a strong pseudoprime to the base J, either 


b' = 1(modn) 
or 
b2’t =—1(modn) 
for some integer j with O < j <s — 1. In either case, we have 
b"-! = 1 (mod n). 


e1 e2 


Let the prime-power factorization of n be n = p, py --- pr’. By Lemma 9.2, we 


know that there are (n — 1, pe (p; — 1)) =(n — 1, p; — 1) incongruent solutions of 
xn-l= 1 (mod ed ), j=1,2, ..., 7. Consequently, the Chinese remainder theorem tells 
us that there are exactly Tj1@ — 1, p; — 1) incongruent solutions of x"-1 = 1(modn). 


We consider two cases. 


Case (i). We first consider the case where the prime-power factorization of n contains 
a prime power Pt with exponent e, > 2. Because 


(pe — )/pet = (1/pe") — (1/ ft) < 2/9 


(the largest possible value occurs when p; = 3 and e; = 2), we see that 


[[@-17;-Ds][@;-D 
j=l j=] 


<(I1») (et) 


Because zn < i(n — 1) forn > 9, it follows that 


[[@-17,;-Ds@-D/4. 
j=l 
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Consequently, there are at most (n — 1)/4 integers b, 1 < b <n, for which n is a strong 
pseudoprime to the base b. 


Case (ii). Now we consider the case where n = p,p>--- p,, Where pj, p,..-., Pp, are 
distinct odd primes. Let 


Dp; — 1=2%t,, i=1,2,...,7, 


where s; is a positive integer and ft; is an odd positive integer. We reorder the primes 
P1, P2, ---, Py (if necessary) so that s; < 5) <---<-s,. We note that 


(n — 1, p; — 1) = 275 , t;). 


The number of incongruent solutions of x‘ = 1 (mod p;) is T; = (t, t;). From Exercise 
22 at the end of this section, there are 2/7; incongruent solutions of x2’ = —1 (mod p;) 
when 0 < s; — 1, and no solutions otherwise. Hence, using the Chinese remainder theo- 


rem, there are T;T> - - - T, incongruent solutions of x‘ = 1 (mod n), and 2/7;T, - - - T, 


incongruent solutions of x2/* = —1 (mod n) when 0 < j <s, — 1. Therefore, there are a 
total of 
sil jr Orsi — 
Tipe: ae =T,T-:-T, 1+) 


integers b, with 1 < b < n — 1, for which n is a strong pseudoprime to the base b. 


Now we note that 
o(n) = (P1 = 1)(p2 _ 1) eae (p, — 1) — tty wh EDs: 
We will show that 


orsi — | 
27-1 


TT, ---T, (14 ) soma, 


which proves the desired result. Because 7,7, - - - T, < tt) ---t,, we can achieve our 
goal by showing that 


i —1 1 
06 1 pee ay 
aa, ( vr ea ) ~4 


Because s; < --- <5,, we see that 
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(1 if Ors; = 4 pe < (1 En orsj — *) [2 
2h] 2 =I 


1 1-1 
ors," 2rsi(2r — 1) 
1 1 1 
= + —— — —___ 
ry 2F— 4 2F8 (27 — 1) 
2 gi 2 
— F—1 2r(27 — 1) 
1 
< 
~ 9r-1 


From this inequality, we conclude that (9.6) is valid when r > 3. 


When r = 2, we haven = pj), with p,; — 1 = 2°!t, and py — 1 = 2°to, with s; < 5. 
If s; < sy, then (9.6) is again valid, because 


2 2 
(1+ 92s, _ *) fase = (1+ 92s, ‘) [ (228-28-8) 
3 3 
= 1 1 S2—$1 
=(5+ <a) /? 
i 
4 


lA 


When s; = 52, we have (n — 1, p; — 1) = 2°7, and (n — 1, py — 1) = 2°T>. Let us assume 
that p, > p>. Note that 7, # t,, for if T, = t,, then (p, — 1) | (n — 1), so that 


nN = P\P2 = po = 1 (mod p, — 1), 
which implies that p > p;, a contradiction. Because T, 4 t,, we know that 7, < t,/3. 
Similarly, if p, < p, then Ty ¥ ty, so that T, < t,/3. Hence, T,T, < tyt,/3, and because 


(1 + et) [251 < 3 we have 


92s) _ 


TT, (1 + *) < tyt27"1/6 = o(n)/6, 


proving the theorem for this final case, since @(n)/6 < (n — 1)/6 < (n — 1)/4. | 


By analyzing the inequalities in the proof of Theorem 6.10, we can see that the 
probability that n is a swong pseudoprime to the randomly chosen base b, 1 < b <n — 1, 
is close to 1/4 only for integers n with prime factorizations of the form n = p)p, with 
Py, =1+2q, and py = 1+ 4q2, where gq, and q> are odd primes, or n = q1q7q3, with 
Py =14+ 2q), pp = 14+ 2q2, and p3 = 1+ 2q3, where qj, q2, and q3 are distinct odd 
primes (see Exercise 23). 
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9.4 EXERCISES 


1. Write out a table of indices modulo 23 with respect to the primitive root 5. 


2. Find all the solutions of the following congruences. 
a) 3x° = 1 (mod 23) b) 3x!4 = 2 (mod 23) 


3. Find all the solutions of the following congruences. 


a) 3* = 2 (mod 23) b) 13% = 5 (mod 23) 
4. For which positive integers a is the congruence ax* = 2 (mod 13) solvable? 
5. For which positive integers b is the congruence 8x’ = b (mod 29) solvable? 
6. Find the solutions of 2* = x (mod 13), using indices to the base 2 modulo 13. 
7. Find all the solutions of x* = x (mod 23). 
8. Show that if p is an odd prime and r is a primitive root of p, then ind,(p — 1) = (p — 1)/2. 
9. Let p be an odd prime. Show that the congruence x* = —1 (mod p) has a solution if and only 


if p is of the form 8k + 1. 


10. Prove that there are infinitely many primes of the form 8k + 1. (Hint: Assume that p;, po,..., 
P,, are the only primes of this form. Let O = (2p), p2--- p,)* + 1. Show that Q must have 
an odd prime factor different than p;, p2, ..., p, and, by Exercise 9, necessarily of the form 
8k + 1.) 


By Exercise 15 of Section 9.3, we know that if a is an odd positive integer, then there are unique 
integers a and 8 with a = 0 or 1 and 0 < B < 2*-? — 1 such that a = (—1)%54 (mod 2°). Define 
the index system of a modulo 2* to be equal to the pair (a, f). 


11. Find the index system of 7 and 9 modulo 16. 
12. Develop rules for the index systems modulo 2* of products and powers, analogous to the rules 
for indices. 


13. Use the index system modulo 32 to find all solutions of 7x? = 11 (mod 32) and 3* = 17 (mod 
32). 


Letn = 2 P} p2 - + + p'm be the prime-power factorization of n. Let a be an integer relatively prime 
ton. Let 7), '2, ..., 7, be primitive roots of Pi, P}, ites pm, respectively, and let y; = ind,,a 
(mod $(p})), ¥2 = ind,,a (mod ¢(p3?)), .... Ym = ind,, a (mod $(p')). If tg < 2, let ro be a 
primitive root of 2%, and let yo = ind,,a (mod $(2°)). If to > 3, let (@, B) be the index system 
of a modulo 2*, so that a = (—1)%5* (mod 2*). Define the index system of a modulo n to be 
(Yo. Vis Yas «++» Ym) if fo < 2 and (a, B, ¥1, Yo, ---» Ym) if to > 3. 

14. Show that if 7 is a positive integer, then every integer has a unique index system modulo n. 


15. Find the index systems of 17 and 41 (mod 120) (in your computations, use 2 as a primitive 
root of the prime factor 5 of 120). 


16. Develop rules for the index systems modulo n of products and powers, analogous to those 
for indices. 


17. Use an index system modulo 60 to find the solutions of 11x” = 43 (mod 60). 


378 


18. 


19. 


Primitive Roots 


Let p be a prime, p > 3. Show that if p = 2 (mod 3), then every integer not divisible by 3 is a 
third-power, or cubic, residue of p, whereas if p = 1 (mod 3), an integer a is a cubic residue 
of p if and only if a?-/3 = 1 (mod p). 


Let e be a positive integer with e > 2. Show that if k is an odd positive integer, then every 
odd integer a is a kth power residue of 2°. 


. Let e be a positive integer with e > 2. Show that if k is even, then an integer a is a kth power 


residue of 2° if and only if a = 1 (mod (4k, 2°)). 


. Let e be a positive integer with e > 2. Show that if k is a positive integer, then the number of 


incongruent kth power residues of 2° is 


je-1 
(k, 2)(k, 28-2) 


. Let p be an odd prime and let N = 2/u be a positive integer, with j a nonnegative integer and 


u an odd positive integer, and let p — 1 = 2*t, where s and ¢ are positive integers with ¢ odd. 
Show that there are 2/ (t, u) incongruent solutions of x" =~—1(mod p)if0< j <s—1, and 
no solutions otherwise. 


. a) Show that the probability that n is a strong pseudoprime for a base b randomly chosen 


with 1 < b <n — lisnear 1/4 only when 7 has a prime factorization of the formn = p,p>, 
where py = 1+ 2q, and pp = 1+ 4q2, with q, and q2 prime, or n = p)p2p3, where 
Py =14+ 2q), pp = 14+ 2q2, and p3 = 1+ 2q3, with q1, gz, q3 distinct odd primes. 

b) Find the probability that n = 49,939 - 99,877 is a strong pseudoprime to the base b 
randomly chosen with 1< b <n — 1. 


Computations and Explorations 


1, 


Find integers n for which the probability that 1 is a strong pseudoprime to the randomly 
chosen base b, 1 < b <n — 1, is close to 1/4. 


Programming Projects 


1. Construct a table of indices modulo a particular primitive root of an integer. 


2. Using indices, solve congruences of the form ax®’=c (mod m), where a, b, c, and m are 


integers with c > 0, m > 0, and where m has a primitive root. 


. Find kth power residues of a positive integer m having a primitive root, where k is a positive 


integer. 


. Find index systems modulo powers of 2 (see the preamble to Exercise 11). 


5. Find index systems modulo arbitrary positive integers (see the preamble to Exercise 14). 


9.5 


Primality Tests Using Orders of Integers and Primitive Roots 


In Chapter 6, we saw that the converse of Fermat’s little theorem is not true. Fermat’s 
little theorem tells us that if p is prime and a is an integer with (a, p) = 1, thena?-! =1 
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(mod p). Even if a”~! = 1(modn), wherea isa positive integer, m may still be composite. 


Although the converse of Fermat’s little theorem is not true, can we establish partial 
converses? That is, can we add hypotheses to the converse to make it true? 


In this section, we will use the concepts developed in this chapter to prove some 
partial converses of Fermat’s little theorem. We begin with a result known as Lucas’s 
converse of Fermat’s little theorem. This result was proved by French mathematician 
Edouard Lucas in 1876. 


Theorem 9.18. Lucas’s Converse of Fermat’s Little Theorem. If n is a positive 
integer and if an integer x exists such that 


x"-1= 1(modn) 
and 
x@-D/4 Z 1 (mod n) 
for all prime divisors g of n — 1, then 7 is prime. 


Proof. Because x”~!= 1 (mod n), Theorem 9.1 tells us that ord,,x | (2 — 1). We will 
show that ord, x =n — 1. Suppose that ord,x 4 — 1. Because ord,,x | (n — 1), there is 
an integer k withn — 1=k - ord,x, and because ord,.x 4 n — 1, we know that k > 1. Let 
q be a prime divisor of k. Then 


x -D/d — _ &-ordnx)/q) — (dn) (K/9) = 1(mod n). 
However, this contradicts the hypotheses of the theorem, so we must have ord, x =n — 1. 


Now, because ord, x < $(n) and ¢(n) <n — 1, it follows that @ (n) = n — 1. By Theorem 
7.2, we know that n must be prime. a 


Note that Theorem 9.18 is equivalent to the fact that if there is an integer with order 
modulo n equal to n — 1, then 7 must be prime. We illustrate the use of Theorem 9.18 
with an example. 


Example 9.22. Let n = 1009. Then 1118 = 1 (mod 1009). The prime divisors of 1008 
are 2, 3, and 7. We see that 11!008/2 — 1 4504 = _4 (mod 1009), 1198/3 = 1 1336 = 374 
(mod 1009), and 1 1108/7 — 11!*4 = 935 (mod 1009). Hence, by Theorem 9.18, we know 
that 1009 is prime. < 


The following corollary of Theorem 9.18 gives a slightly more efficient primality 
test. 


Corollary 9.18.1. If n is an odd positive integer and if x is a positive integer such that 
x@-D? = _1 (mod n) 
and 
x@-D/4 Z 1 (mod n) 


for all odd prime divisors q of n — 1, then n is prime. 


380 


Primitive Roots 


Proof. Because x@—1)/2 = —] (mod n), we see that 
x} = (x@-D/?)? = (-1)? = 1 (mod n). 


Because the hypotheses of Theorem 9.18 are met, we know that n is prime. rT 


Example 9.23. Let n = 2003. The odd prime divisors of n — 1 = 2002 are 7, 11, 
and 13. Because 5202/2 = 51001 = —1 (mod 2003), 5702/7 = 5786 = 874 (mod 2003), 
§2002/11 — 5183 — 386 (mod 2003), and 52002/13 — 5154 = 633 (mod 2003), we see from 


Corollary 9.18.1 that 2003 is prime. 7 


To determine whether an integer n is prime using either Theorem 9.18 or Corollary 
9.18.1, it is necessary to know the prime factorization of n — 1. As we have remarked 
before, finding the prime factorization of an integer is a time-consuming process. Only 
when we have some a priori information about the factorization of n — 1 are the primality 
tests given by these results practical. Indeed, with such information these tests can be 
useful. Such a situation occurs with the Fermat numbers; in Chapter 11, we give a 
primality test for these numbers based on the ideas of this section. 


In Chapter 3, we discussed the recent discovery of an algorithm that can prove that 
an integer n is prime in polynomial time (in the number of digits in the prime). We can 
prove a weaker result using Corollary 9.18.1, which shows that we can prove that an 
integer is prime in polynomial time once particular information is known. 


Theorem 9.19. If is prime, this can be proved when sufficient information is available 
using O((log, n)*) bit operations. 


Proof. Weuse the second principle of mathematical induction. The induction hypothe- 
sis is an estimate for f (n), where f (7) is the total number of multiplications and modular 
exponentiations needed to verify that the integer n is prime. 


We demonstrate that 
f(@) < 3dlog n/ log 2) — 2. 
First, we note that f(2) =1. We assume that for all primes q, with g <n, the 
inequality 
f(g) S$ 3dog n/log 2) — 2 
holds. 


To prove that n is prime, we use Corollary 9.18.1. Once we have the numbers 
2°, 1,---++ Qt, and x that supposedly satisfy 


(i) n—1=2%9192°°+ 4; 
(ii) q; is prime fori =1,2,...,t, 
(iii) x@-)/2 = —1 (mod n), 


and 
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(iv) x@—)/9i = 1(modn), fori =1,2,...,t, 


we need to do ¢ multiplications to check (i), t + 1 modular exponentiations to check (iii) 
and (iv), and f(qg;) multiplications and modular exponentiations to check (ii), that q; is 
prime fori = 1, 2,..., ¢. Hence, 


t 
f@=t+C+D+ >> f@ 
i=1 
t 
< 2t+1+ ) (Blog q;/log 2) — 2). 


i=1 


Now, each multiplication requires O((log, n)) bit operations and each modular expo- 
nentiation requires O ((log, n)) bit operations. Because the total number of multiplica- 
tions and modular exponentiations needed is f(n) = O(log, 1), the total number of bit 
operations needed is O((log, n) (log, n)?) =O (log, n)*). = 


Another limited converse of Fermat’s little theorem was established by Henry 
Pocklington in 1914. He showed that the primality of n can be established using a partial 
factorization of n — 1. We use the usual notation n — 1= FR, where F represents the 
part of n — 1 factored into primes and R the remaining part not factored into primes. 


Theorem 9.20. Pocklington’s Primality Test. Suppose that n is a positive integer 
with n — 1= FR, where (F, R) = land F > R. The integer n is prime if there exists an 
integer a such that (2~)/9 — 1, n) = 1 whenever q is a prime with q | F anda""!=1 
(mod n). 


Proof. Suppose that p is a prime divisor of n with p < ./n. Because a”~! = 1 (mod n) 
(where a is the integer assumed to have the properties specified in the hypotheses), if 
p|n, we see that a”~! = 1 (mod p). It follows that ord, a |n — 1. Consequently, there 
exists an integer ¢ such thatn — 1=¢ - ord, a. 


Now, suppose that g is a prime with q | F and that q° is the power of q appearing 
in the prime-power factorization of F. We will show that q J t. To see this, note that if 
q | t, then 


a®—D/a = g™p 4-(t/9) = | (mod p). 


This implies that p | (a@—)/4 — 1, n) because p | a“—/4 — Land p | n. This conwadicts 
the hypothesis that (2@~/9 — 1, n) = 1. Consequently, q J t. It follows that q° | ord, a. 
Because for every prime dividing F the power of this prime in the prime-power factor- 
ization of F divides ord, a, it follows that F | ord, a. Because ord, a | p — 1, it follows 
that F | p — 1, implying that F < p. 


Because F > R andn — 1= FR, it follows that n — 1 < F*. Because both n — 1 
and F? are integers, we haven < F 2° so p > F > ./n. We can conclude that n is prime. 
rT 


The following example illustrates the use of Pocklington’s primality test, where only 
a partial factorization of n — 1 is used to show that n is prime. 
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Example 9.24. We will use Pocklington’s primality test to show that 23801 is prime. 
With n = 23801, we can use the partial factorization of n — 1 = 23800 = FR, where 
F = 200 = 235? and R = 119, so that F > R. Talaing a = 3, we find (with the help of 
computation software) that 


323800 — 1 (mod 23801) 
323800/2 — _1 (mod 23801) 
323800/5 — 19672 (mod 23801). 


From this, we find (using the Euclidean algorithm) that (323800/2 _ 4, 
23801) = (—2, 23801) = 1 and (37380/5 — 1, 23801) = (19671, 23801) = 1. This shows 
that n = 23801 is prime, even though we did not use the complete factorization of 
n — 1= 23800 (namely, 23800 = 23 . 52. 7-17). < 


We can use Pocklington’s primality test to develop another test, which is useful 
for testing the primality of numbers of special form. This test (which actually predates 
Pocklington’s) was proved by E. Proth in 1878. 


Theorem 9.21. Proth’s Primality Test. Let n be a positive integer with n = k2™ + 1, 
where k is an odd integer and m is an integer with k < 2”. If there is an integer a such 
that 


aD? = _1 (mod n), 
then n is prime. 
Proof. Lets =2™” and t =k, so that s > t by the hypotheses. If 
(9.7) a”—)/2 = _] (mod n), 


we can easily show that (a—)/ — 1, n) = 1. To see this, note that if d | (a@—)/? — 
1) and d|n, then by (9.7), d | (a“~—)/2 + 1). It follows that d divides (a—)/2 — 
1) + (a@-D/? + 1) = 2. Because n is odd, it follows that d = 1. Consequently, all the 
hypotheses of Pocklington’s primality test are satisfied, so n is prime. = 


Example 9.25. We will use Proth’s primality test to show that n = 13- 28 + 1= 3329is 
prime. First, note that 13 < 28 = 256. Take a = 3. We find (with the help of computation 
software) that 


3%-D/2 — 33328/2 _ 31664 = —1 (mod 3329). 


It follows by Proth’s primality test that 3329 is prime. < 


Proth’s pnmality test has been used extensively to prove the primality of many large 
numbers of the form k2™ + 1. Two of the ten largest primes currently known have been 
found using Proth’s primality test; the rest are Mersenne primes. For a few years, the 
largest known prime was not a Mersenne prime, but one of the form k2” + 1. You can 
download PC-based software from the Web for running Proth’s primality test and look for 
new primes of the form k2” + 1 yourself! If you find one, you will receive some small 
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amount of fame, but it will not make you as famous as if you found a new Mersenne 
prime. 


EXERCISES 


. Show that 101 is prime using Lucas’s converse of Fermat’s little theorem with x = 2. 
. Show that 211 is prime using Lucas’s converse of Fermat’s little theorem with x = 2. 
. Show that 233 is prime using Corollary 9.18.1 with x = 3. 
. Show that 257 is prime using Corollary 9.18.1 with x = 3. 


. Show that if an integer x exists such that 


x = 1 (mod F,) 
and 
x2" 4 1 (mod F,), 


then the Fermat number F,, = 22" + 1is prime. 


. Let n be a positive integer. Show that if the prime-power factorization of n — lisn —1= 


Pip? +e DY, and for j =1, 2, ..., t, there exists an integer x; such that 


xy /Pi 1 (mod n) 
and 
a = 1(modn), 


then n is prime. 


. Let n be a positive integer such that 


r 
a; 
n—1=m]]q;’. 
j=l 


where m is a positive integer, a), a2,..., a, are positive integers, and qj, qz,..., 9g, are 
relatively prime integers greater than 1. Furthermore, let b;, b2, ..., b, be positive integers 
such that there exist integers x), x2,..., x, with 


a = 1 (mod n) 


and 

a — 1a) =1 
for j = 1, 2,..., 7, where every prime factor of q; is greater than or equal to b; for j = 
1,2,...,7r, and 


Bs tds 
elie): 


Show that n is prime. 
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8. Use Pocklington’s primality test to show that 7057 is prime. (Hint: Take F = 2* . 3? = 144 
and R = 49 in 7057 — 1= 7056 = FR.) 
9. Use Pocklington’s primality test to show that 9929 is prime. (Hint: Take F = 136 = 23 - 17 
and R = 73 in 9929 — 1= 9928 = FR.) 
10. Use Proth’s primality test to show that 449 is prime. 
11. Use Proth’s primality test to show that 3329 is prime. 

* 12. Show that the integer n is prime if n — 1= FR, where (F, R) = 1, B is an integer with 
FB > \/n, and R has no prime factors less than B; for each prime g dividing F, there exists 
an integer a such that a”—! = 1 (mod n) and (a“"—/4 — 1, n) = 1; and there exists an integer 
b greater than 1 such that b*—! = 1 (mod n) and (b¥ — 1, n) = 1. 

* 13. Suppose that n = hq* + 1, where q is prime and g* > h. Show that n is prime if there exists 
an integer a such that a"—! = 1 (mod n) and (a— 9/4 — 1, n) = 1. 

* 14. A Sierpinski numberis a positive odd integer k for which the integers k2” + 1, where n is 

- an integer with n > 1, are all composite. In 1960, Wactaw Sierpiriski proved that there are 
hiss infinitely many of these numbers. Show that 78557 is a Sierpinski number. 


WACLEAW SIERPINSKI (1882-1969) was born in Warsaw where his father 
was a prominent doctor. His mathematical talent was spotted by his first high 
school mathematics teacher. In 1900, Sierpinski enrolled in the University of 
Warsaw, winning a gold medal in 1903 for a paper in number theory. In 1904, 
he graduated, even though he purposely failed his Russian language exam to 
protest the Russian dominance of Poland. After graduating, Sierpifiski taught 
at a Warsaw girl’s school. When the school went on strike during the 1905 
revolution, he moved to Krakéw to pursue graduate studies at Jagiellonian 
University. In 1906, he received his doctorate, and two years late was appointed to a position at 
the University of Lvov. When World War I began, he was intemed by the Russians, but prominent 
Russian mathematicians arranged for him to spend the war years working with them in Moscow. In 
1918, Sierpifiska ceturned to Lvov, shortly thereafter accepting a professorship at the University of 
Warsaw. During World War IL, Sierpifiski continued working in the underground university, while his 
official job was a clerk. After the Warsaw uprising of 1944, the Nazis bumed his house, destroying 
his library. After the war, he resumed his position at the University of Warsaw, retinng in 1960. 

Sierpirislai was noted for the richness of his ideas and the many questions he posed. He was 
extremely prolific and wrote more than 700 papers and more than 50 books. He made important 
contributions to many different areas of mathematics, including number theory, set theory, the theory 
of functions, and topology. Sierpiiski numbers, which are positive odd integers k such that k2” + 1 
is composite for all integers n > 1, remain an active research topic. Fractals named after him include 
the Sierpinski triangle, the Sierpinski curve, and the Sierpinski carpet. 

Sierpitishi was noted for a cheerfu) disposition and for his exceptionally good health. Fortunately, 
he could work productively under any conditions, including the terrible condition of the Russian 
occupation of Poland, World War I, and World War I. 
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Computations and Explorations 


i. 


mn & WB N 


6. 


Use Pocklington’s primality test to show that 10,998,989 is prime, with n — 1= FR, where 
s§ = 4004, t = 2747, and a =3. 


. Use Pocklington’s primality test to show that 111,649,121 is prime. 
. Use Proth’s primality test to find as many primes of the form 3 - 2” + 1 as you can. 
. Use Proth’s primality test to find as many primes of the form 5 - 2” + 1 as possible. 


It has been conjectured that 78557 is the smallest Sierpinski number (see Exercise 14). (Sier- 
pinski showed in 1960 that there are infinitely many Sierpinski numbers.) The Seventeen or 
Bust distributed computing project (with home page www. seventeenorbust.com) was founded 
in 2002 with the goal of eliminating seventeen possible counterexamples to this conjecture. 
As of early 2010, the project has eliminated 11 of the 17 original values. Join this project, 
download software from their site, and try to eliminate one of the six remaining integers 
10223, 21811, 22699, 24737, 55459, and 67607. Eliminating k, where k is one of these 
integers, requires that you use their software to find an integer n such that k2” + 1is prime.) 


Give a succinct certification of primality of F, = 22" 4+ 1= 65537. 


Programming Projects 


Show that a positive integer n is prime using these tests. the following. 


1. 


Lucas’s converse of Fermat’s little theorem 


2. Corollary 9.18.1 
3: 
4 


Pocklington’s primality test 
Proth’s primality test 


Universal Exponents 

Let n be a positive integer greater than 1 with prime-power factorization 
i= Pipe: . - pin. 

If a is an integer relatively prime to n, then Euler’s theorem tells us that 


a®(P") = 1 (mod p’), 


whenever p’ is one of the prime powers occurring in the factorization of n. As in the 
proof of Theorem 9.13, let 


=[6(p}!), 6(p}),---, 0(p™)], 


the least common multiple of the integers ( P; ), i=1, 2,...,m. Because 


o(p!)1U, 
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fori = 1,2,..., m, using Theorem 9.1 we see that 
a’ =1(mod p;), 
fori = 1, 2,..., m. Hence, by Exercise 39 in Section 3.5, it follows that 


a’ =1(modn). 
This leads to the following definition. 


Definition. A universal exponent of the positive integer n is a positive integer U such 
that 


av =1 (mod n), 


for all integers a relatively prime to n. 


Example 9.26. Because the prime-power factorization of 600 is 23 - 3 - 52, it follows 
that U = [6(23), (3), $(5°)] = [4, 2, 20] = 20 is a universal exponent of 600. < 


From Euler’s theorem, we know that @(n) is a universal exponent. As we have al- 
ready demonstrated, the integer U = [6( Pi) o( p2), .2+, OC pt)] is also a universal 
exponent of n = pi ps . ++ p.™, We are interested in finding the smallest positive univer- 
sal exponent of n. 


Definition. The least universal exponent of the positive integer n is called the minimal 
universal exponent of n, and is denoted by A(n). 


We now find a formula for the minimal universal exponent A(n), based on the prime- 
power factorization of n. 


First, note that if n has a primitive root, then A(n) = @(n). Because powers of odd 
primes possess primitive roots, we know that 


Ap’) = o(p’), 


whenever p is an odd prime and ¢ is a positive integer. Similarly, we have (2) = @(2) = 1 
and 4(4) = @(4) = 2, because both 2 and 4 have primitive roots. On the other hand, if 
t > 3, then we know by Theorem 9.11 that for every odd integer a, we have 


a? =1(mod 2'). 


On the other hand, by Theorem 9.12, we have ord»: 5 = 2° -2_ Hence, we can conclude 
that 4.(2') = 2'-? if t > 3. 


We have found A(n) when n is a power of a prime. Next, we turn our attention to 
arbitrary positive integers n. 


Theorem 9.22. Let 7n be a positive integer with prime-power factorization 


to W122 
da 20h 


t, 
7* pi. 
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Then A(n), the minimal universal exponent of n, is given by 


A(n) = [A(2”), b(p}), ---, O(p™)]. 


Moreover, there exists an integer a such that ord,,a = A(n), the largest possible order of 
an integer modulo n. 


Proof. Let b be an integer with (b, n) = 1. For convenience, let 
M =[A(2°), $(p'), (pz), ---, (pm) 


Because M is divisible by all of the integers 1(2'), b( Pp?) = h( P?), o( p2) = X( p2), eer 
o( pit) =A( pit), and because b+”) = 1 (mod p‘) for all prime powers in the factoriza- 
tion of n, we see that 


b™ = 1 (mod p*) 
whenever p’ is a prime power occurring in the factorization of n. 
Consequently, by Corollary 4.8.1 we can conclude that 
b” = 1(modn). 
The last congruence established the fact that M is a universal exponent. We must 


now show that M is the least universal exponent. To do this, we find an integer a such 
that no positive power smaller than the Mth power of a is congruent to 1 modulo n. With 


this in mind, let 7; be a primitive root of pe : 
We consider the system of simultaneous congruences 
x =5 (mod 2”) 
x =r, (mod Pp?) 


xX =r, (mod p2) 


x =P» (mod p*). 


By the Chinese remainder theorem, there is a simultaneous solution a of this system 


that is unique modulo n = 2% pi pe soe pit: we will show that ord,a = M. To prove this 


claim, assume that N is a positive integer such that 


aN =1(modn). 


Then, if p’ is a prime-power divisor of n, we have 
aN = 1 (mod p’), 
so that 


ord pa | N. 
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But, because a satisfies each of the m + 1 congruences of the system, we have 
ord a = A(p’), 
for each prime power in the factorization. Hence, by Theorem 9.1, we have 
A(P') | N, 
for all prime powers p’ in the factorization of n. Therefore, by Corollary 4.8.1, we know 
that M = [A(2'°), A(p}'), A(Pz), ---» APm IL NV. 


Because a@ = 1 (mod n) and M | N whenever a% = 1 (mod n), we can conclude 
that the smallest positive integer x for which a* = 1 (mod n) is x = M. Hence, by the 
definition of order modulo n, we have 


ord,a = M. 
This shows that M = A(n) and simultaneously produces a positive integer a with ord,a = 


A(n). | 


Example 9.27. Because the prime-power factorization of 180 is 2” - 3* - 5, from Theo- 
rem 9.22 it follows that 


(180) = [6 (27), (37), 6(5)] = 12. 


To find an integer a with ord, g9a = 12, first we find primitive roots modulo 3? and 5. For 
instance, we take 2 and 3 as primitive roots modulo 3” and 5, respectively. Then, using 
the Chinese remainder theorem, we find a solution of the system of congruences 


a = 3 (mod 4) 
a= 2 (mod 9) 
a = 3 (mod 5), 
obtaining a = 83 (mod 180). From the proof of Theorem 9.22, we see that ord) 983 = 12. 
< 
Example 9.28. Let n = 2°.32-5-7-13-17-19-37-73. Then we have 
A(n) = [A(2°), 6(37), (5), 6(7), 613), G17), 619), 6(37), O(73)] 
= [21 258, 0772 929-3, 2728 073", 7397 
2294 32 
= 144. 
Hence, whenever a is a positive integer relatively prime to 2° - 3*-5-7-13-17-19- 
37 - 73, we know that a!“4 = 1 (mod 2°. 3? -5- 17-19 - 37-37-73). < 


Results about Carmichael Numbers We now return to the Carmichael numbers, 
which we discussed in Section 6.2. Recall that a Carmichael number is a composite 
integer that satisfies b"~! = 1 (mod n) for all positive integers b with (b, n) = 1. We 
proved that ifm = 914 - - - qx, where q149, . . . , 9, are distinct primes satisfying (q ; — 1) | 
(n — 1) for j = 1, 2, ..., k, thenn is a Carmichael number. Here, we prove the converse 
of this result. 
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Theorem 9.23. Ifn > 2 is a Carmichael number, then n = q1q- - - qx, where the q; 
are distinct odd primes such that (q¢ = 1) | (2 — 1) for j =1,2,...,k. 


Proof. If nis a Carmichael number, then 
b"-!=1(mod n), 


for all positive integers b with (b, n) = 1. Theorem 9.22 tells us that there is an integer a 
with ord,,a = A(n), where A(n) is the minimal universal exponent; and because a®l=1 
(mod n), Theorem 9.1 tells us that 


A(n) | (n — 1). 


Nown must be odd, forifn were even, thenn — 1 would be odd, but A(n) is even (because 
n > 2), contradicting the fact that A(n) | (n — 1). 


We now show that n must be the product of distinct primes. Suppose that n has a 
prime-power factor p’ with t > 2. Then 


M(p') = o(p') = p' "(p — 1) | Mn) =n - 1. 


This implies that p | (n — 1), which is impossible because p | n. Consequently, n must 
be the product of distinct odd primes, say, 


N= 4192°** Qk- 
We conclude the proof by noting that 
A4i) = $i) =; —-DlAM)=n-1. W 
We can easily prove more about the prime factorizations of Carmichael numbers. 
Theorem 9.24. A Carmichael number must have at least three different odd prime 
factors. 


Proof. Letn bea Carmichael number. Then n cannot have just one prime factor, because 
it is composite, and is the product of distinct primes. So assume that n = pq, where p 
and q are odd primes with p > q. Then 


n—1=pq—-1=(p—1)q+(q-1)=q —1#0 (mod p — }), 


which shows that (p — 1) 1 (n — 1). Hence, n cannot be a Carmichael number if it has 
just two different prime factors. : 


EXERCISES 


. Find A(n), the minimal universal exponent of n, for the following values of n. 


a) 100 d) 884 g) 10! 
b) 144 e) 24.33.52-7 h) 20! 
c) 222 f) 25.32.52.73.112- 13-17-19 
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2. Find all positive integers n such that A(7) is equal to each of the following integers. 
a) 1 c)3 e) 5 
b) 2 d) 4 f) 6 
3. Find the largest integer n with A(n) = 12. 
4. Find an integer with the largest possible order for the following moduli. 
a) 12 c) 20 e) 40 
b) 15 d) 36 f) 63 
5. Show that if m is a positive integer, then A(m) divides ¢(m). 
6. Show that if m and 7 are relatively prime positive integers, then A(mn) = [A(m), A(n)]. 
7. Let n be the largest positive integer satisfying the equation A(n) =a, where a is a fixed 
positive integer. Show that if m is another solution of A(m) = a, then m divides n. 
8. Suppose that 7 is a positive integer. How many incongruent integers are there with maximal 
order modulo n? 
9. Show that ifa and m are relatively prime integers, then the solutions of the congruence ax = b 
(mod m) are the integers x such that x = a*“™—1b (mod m). 
10. Show that if c is a positive integer greater than 1, then the integers 1°, 2°, ..., (m — 1)° form 
a complete system of residues modulo m if and only if m is square-free and (c, A(m)) = 1. 
11. a) Show that if c and m are positive integers and m is odd, then the congruence x° = x (mod 
m) has exactly 
r 
a . 
[Jat ©@-1 97» 
j=l 
incongruent solutions, where m has prime-power factorization m = P Py ed ae 
b) Show that x° = x (mod m) has exactly 3” solutions if (c — 1, @(m)) = 2. 
12. Use Exercise 11 to show that there are always at least nine plaintext messages that are not 
changed when encrypted using an RSA cipher. 
13. Show that 561 is the only Carmichael number of the form 3pq, where p and q are primes. 
14. Find all Carmichael numbers of the form S5pq, where pq are primes. 
15. Show that there are only a finite number of Carmichael numbers of the form n = pqr, where 
p isa fixed prime and g and r are also primes. 
16. Show that the decrypting exponent d for an RSA cipher with encrypting key (e, n) can be 


taken to be an inverse of e modulo A(n). 


Let n be a positive integer. When (a, n) = 1, we define the generalized Fermat quotient q,(a) by 
gn(a) = (a — 1)/n (mod n) and 0 < q,(a) <n. 


17. 
18. 


Show that if (a, n) = (b, n) = 1, then q,(ab) = q,(a) + q,(b) (modn). 


Show that if (a, n) = 1, then qg,(a + nc) =q,(a),(n)ca (mod n), where @ is the inverse of a 
modulo n. 
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Computations and Explorations 


1. Find the universal exponent of all integers less than 1000. 


2. Find Carmichael numbers with at least four different prime factors. 


Programming Projects 


1. Find the minimal universal exponent of a positive integer. 
2. Find an integer with the minimal universal exponent of n as its order modulo n. 


3. Given a positive integer M, find all positive integers m with minimal universal exponent equal 
to M. 


4. Solve linear congruences using the method of Exercise 9. 
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1 0 Applications of Primitive Roots 


10.1 


and the Order of an Integer 


n this chapter, we will introduce applications that rely on the concepts of orders 

and primitive roots. First, we consider the problem of generating random numbers. 
Computers can produce random numbers using data generated by hardware or software, 
but they cannot create long sequences of random numbers this way. To meet the need 
for long sequences of random numbers in computer programs, procedures have been 
developed to generate numbers that pass many statistical tests that numbers selected truly 
at random pass. The numbers that such procedures generate are called pseudorandom 
numbers. We will introduce several techniques to generate pseudorandom numbers based 
on modular arithmetic and the concepts of the order of integers and primitive roots. 


We will also introduce a public key cryptosystem, known as the ElGamal cryp- 
tosystem, defined using the concept of a primitive root of a prime. The security of this 
cryptosystem is based on the difficulty of the problem of finding discrete logarithms 
modulo a prime. We will explain how to encrypt and decrypt messages using ElGamal 
encryption, and how to sign messages in this cryptosystem. 


Finally, we will discuss an application of the concepts of the order of an integer and 
of primitive roots to the splicing of telephone cables. 


Pseudorandom Numbers 


Numbers chosen at random are useful in many applications. Random numbers are 
needed for computer simulations used to study phenomena in areas such as nuclear 
physics, operations research, and data networking. They can be used to construct random 
samples so that the behavior of a system can be studied when it is impossible to test all 
possible cases. Random numbers are used to test the performance of computer algorithms 
and to run randomized algorithms that make random choices during their execution. 
Random numbers are also extensively used in numerical analysis. For instance, random 
numbers can be used to estimate integrals using Riemann sums, a topic studied in 
calculus. In number theory, random numbers are used in probabilistic primality tests. 
In cryptography, random numbers have many applications, such as in generation of 
cryptokeys and in the execution of cryptographic protocols. 


When we talk about random numbers, we mean the terms of a sequence of numbers 
in which each term is selected by chance without any dependence on the other terms of the 
sequence, and with a specified probability of lying in a particular interval. (It really makes 
no sense to say that a particular number, such as 47, is random, although it can be a term 
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of a sequence of random numbers.) Before 1940, scientists requiring random numbers 
produced them by rolling dice, spinning roulette wheels, picking balls out of an um, 
dealing cards, or taking random digits from tabulated data, such as census reports. In the 
1940s, machines were invented to produce random numbers, and in the 1950s, computers 
were used to generate random numbers using random noise generators. However, random 
numbers produced by a mechanical process often became skewed from malfunctions in 
computer hardware. Another important problem was that random numbers generated 
using physical phenomena could not be reproduced to check the results of a computer 


program. 


The idea of generating random numbers using computer programs instead of via 
mechanical method was first proposed in 1946 by John von Neumann. The method he 
suggested, called the middle-square method, works as follows. To generate four-digit 
random numbers, we start with an arbitrary four-digit number, say, 6139. We square this 
number to obtain 37,687,321, and we take the middle four digits, 6873, as the second 
random number. We iterate this procedure to obtain a sequence of random numbers, 
always squaring and removing the middle four digits to obtain a new random number 
from the preceding one. (The square of a four-digit number has eight or fewer digits. 
Those with fewer than eight digits are considered eight-digit numbers by adding initial 
digits of 0.) 


Sequences produced by the middle-square method are, in reality, not randomly 
chosen. When the initial four-digit number is known, the entire sequence is determined. 
However, the sequence of numbers produced appears to be random, and the numbers 
produced are useful for computer simulations. The integers in sequences that have been 
chosen in some methodical manner, but appear to be random, are called pseudorandom 
numbers. 


It tums out that the middle-square method has some unfortunate weaknesses. The 
most undesirable feature of this method is that, for many choices of the initial integer, 
the method produces the same small set of numbers over and over. For instance, starang 
with the four-digit integer 4100 and using the middle-square method, we obtain the 
sequence 8100, 6100, 2100, 4100, 8100, 6100, 2100, ..., which only gives four 
different numbers before repeating. 


of the first computers, and participated in the early development of atomic weapons. 


JOHN VON NEUMANN (1903-1957) was born in Budapest, Hungary. In 
1930, after holding several positions at universities in Germany, he came to the 
United States. In 1933, von Neumann became, along with Albert Einstein, one 
of the first members of the famous Institute for Advanced Study in Princeton, 
New Jersey. Von Neumann was one of the most versatile mathematical talents of 
the twentieth century. He invented the mathematical discipline known as game 
theory; using game theory, he made many important discoveries in mathematical 
economics. Von Neumann made fundamental contributions to the development 
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The Linear Congruential Generation 


The most commonly used method for generating pseudorandom numbers, called the 
linear congruential method, was introduced by D. H. Lehmer in 1949. It works as 
follows: Integers m, a, c, and x9 are chosen so that 2<a<m,0<c<m, andO< 
Xo < m. The sequence of pseudorandom numbers is defined recursively by 


Xn41=ax,+c(modm), O<x,4)<™m, 


for n = 0, 1, 2, 3,.... We call m the modulus, a the multiplier, c the increment, and xo 
the seed of the pseudorandom numbers generator. The following examples illustrate the 
linear congruential method. 


Example 10.1. When we take m = 12, a =3, c = 4, and xp) = 5 in the linear congruen- 
tial generator, we have x, = 3-5+ 4=7 (mod 12), so that x; = 7. Similarly, we find that 
X_ = 1, because x» = 3-7+7 = 1(mod 12), x3 = 7, because x3 = 3-1+7 =7(mod 12), 
and so on. Hence, the generator produces just three different integers before repeating. 
The sequence of pseudorandom numbers obtained is 5,7, 1, 7,1,7,1,.... < 


Example 10.2. When we take m = 9, a = 7, c = 4, and xp = 3 in the linear congruen- 
tial generator, we obtain the sequence 3,7,8,6,1,2,0,4,5,3, . . . (as should be verified by 
the reader). This sequence contains nine different numbers before repeating. < 


Remark. For computer simulations it is often necessary to generate pseudorandom 
numbers between 0 and 1. We can obtain such numbers by using a linear congruential 
generator to produce pseudorandom numbers x;, i = 1,2, 3, ... between 0 and m, and 
then dividing each number by m, obtaining the sequence x;/m, i = 1, 2, 3,.... 


The following theorem tells us how to find the terms of a sequence of pseudorandom 
numbers generated by the linear congruential method directly from the multiplier, the 
increment, and the seed. 


Theorem 10.1. The terms of the sequence generated by the linear congruential method 
previously described are given by 


x= a* xo + c(a* —l)/@—)(modm), 0<x<™m. 


Proof. We prove this result using mathematical induction. For k = 1, the formula is 
obviously true, because x; = axq + c (mod m), 0 < x; < m. Assume that the formula is 
valid for the kth term, so that 


Xz =a*xy + c(a* —l)/(a—1)(modm), O0<x,<™m. 
Because 


Xpiy =ax,+c(modm), O<xy44,<m, 
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we have 
M41= a(a* xp + c(a* —l)/a@-D))+ce 
ak*1xy + c(a(ak — 1) /(a—1) +0) 


= a**1y, + c(a**! — 1)/(a — 1) (mod m), 


which is the correct formula for the (k + 1)st term. This demonstrates that the formula 
is correct for all positive integers k. 7 


The period length of a linear congruential pseudorandom number generator is the 
maximum length of the sequence obtained without repetition. We note that the longest 
possible period length for a linear congruentéal generator is the modulus m. The following 
theorem tells us when this maximum length is obtained. 


Theorem 10.2. The linear congruential generator produces a sequence of period length 
m if and only if (c, m) = 1, a = 1(mod p) for all primes p dividing m, and a = 1 (mod 4) 
if 4 | m. 


Because the proof of Theorem 10.2 is complicated and quite lengthy, we omit it. 
The reader is referred to [Kn97] for a proof. 


The Pure Multiplicative Congruential Method 


The case of the linear congruential generator with c = 0 is of special interest because of its 
simplicity. In this case, the method is called the pure multiplicative congruential method. 
We specify the modulus m, multiplier a, and seed xp. The sequence of pseudorandom 
numbers is defined recursively by 


Xn41 =x, (modm), O<x,41)<-m. 


In general, we can express the pseudorandom numbers generated in terms of the multi- 
plier and seed: 


X, =a"xg(modm), O<x,4,<™m. 


If/ is the period length of the sequence obtained using this pure multiplicative generator, 
then / is the smallest positive integer such that 


x= a'xo (mod m). 
If (xo, m) = 1, using Corollary 4.4.1 we have 
a=1 (mod m). 


From this congruence, we know that the largest possible period length is A(m), where 
A(m) is the minimal universal exponent modulo m. 


For many applications, the pure multiplicative generator is used with the modulus 
m equal to the Mersenne prime M3, = 23! — 1. When the modulus m is a prime, the 
maximum period length is m — 1, and this is obtained when a is a primitive root of m. 
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To find a primitive root of M3, that can be used with good results, we first demonstrate 

that 7 is a primitive root of M3}. 

Theorem 10.3. The integer 7 is a primitive root of M3, = 23! — 1. 

Proof. To show that 7 is a primitive root of M3 = 23! — 1, it is sufficient to show that 
7M31—1)/4 # 1(mod M3)), 


for all prime divisors q of M3, — 1. With this information, we can conclude that ordy,.7 = 
M3, — 1. To find the factorization of M3, — 1, we note that 


M3, — 1= 27! —2=2(2 — 2) = 20225 — nah+1) 
= 2(29 — 1)(2!9 + 25 + (2° + N2"® — 2° 4+-1) 
=2.37-7-11-31- 151-331. 
If we show that 
7Ma-)/9 % 1 (mod M3}), 


for q = 2, 3, 7, 11, 31, 151, and 331, then we know that 7 is a primitive root of M3, = 
2, 147,483,647. Because 


7Mai—D/2 = 2, 147,483,646 # 1 (mod M3,) 

7Ma1-D/3 = 1,513,477,735 # 1 (mod M3)) 

7M31—D/7 — 120,536,285 # 1 (mod M3}) 

7Ma1—D/11 = 1,969,212,174 £ 1 (mod M3,) 

7(M31—1)/31 — 512 # 1 (mod M3;) 

7Mar—D/1S1 = 535,044,134 # 1 (mod M3,) 
7Ma1—)/331 — 1, 761,885,083 # 1 (mod M3)), 

we see that 7 is a primitive root of M3. - 


In practice, we do not want to use the primitive root 7 as the generator, because 
the first few integers generated are small. Instead, we find a larger primitive root using 
Corollary 9.4.1. We use 7*, where (k, M3, — 1) = 1. Forinstance, because (5, M3, — 1) = 
1, we know that 7° = 16,807 is a primitive root. Because (13, M3; — 1) = 1, another 
possibility is to use 7!3 = 252,246,292 (mod M3)) as the multiplier. 


The Square Pseudorandom Number Generator 


Another example of a pseudorandom number generator is the square pseudorandom 
number generator. Given a positive integer n (the modulus) and an initial term x9 
(the seed), this generator produces a sequence of pseudorandom numbers using the 
congruence 


Xj41= x? (modn), O<xj4, <n. 
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From this definition, we can easily see that 


x= x (modn), O<x; <n. 
Example 10.3. Let n = 209 be the modulus and xp = 6 the seed of the square pseudo- 
random number generator. The sequence produced by this generator is 
6, 36, 42, 92, 104, 157, 196, 169, 137, 168, 9, 81, 82, 36, 42, .... 
We see that this sequence has a period of length 12. The first term is not part of the period. 
< 


We can determine the length of the period of a square pseudorandom number 
generator using the concept of order modulo n, as the following theorem shows. 


Theorem 10.4. The length of the period of the square pseudorandom number with 
seed x9 and modulus n is ord,2, where the integer s is the odd positive integer such that 
ord,,Xp = 2's, where t is a nonnegative integer. 


Proof. We will show that ord,2 divides £, the length of the period of this generator. 
Suppose that x; = x;,,¢ for some integer j. Then 


x2! = x (mod n), 
which implies that 
xo =1(modn). 
Using the definition of the order of an integer modulo n, we see that 
ord, x9 | (2/*" — 21), 
or, equivalently, that 
(10.1) 2/+# = 2/ (mod 2's). 
Because 2! | (2/+4 — 2/) and 2/+ — 2/ = 2/(2 — 1), we see that j > t. By congruence 
(10.1) and Theorem 4.4, it follows that 
git&t — 2/-t (mods). 
Using Theorem 9.2, we see that j + £—t = j —t (mod ord,s). Hence, £ = 0 (mod 
ord,s), which means that ord,s divides £, the period length. 
We will now show that the period £ divides ord,2. To show that ord,2 is a multiple 


of £, we need only show that there are two terms x; and x; = x, such that 7 =k (mod 


ord,2). To accomplish this, we suppose that j =k (mod ord,2) and that k > j >t. By 
Theorem 9.2, we see that 


2) = 2 (mod s). 
Furthermore, we have 


2 = 2/ (mod 2‘), 
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because 2* — 2/ = 2/(2*-J — 1) and j >t. By Corollary 4.8.1 and the fact that (2’, s) = 
1, we can conclude that 


2) = 2* (mod 2's). 
Because ord,,x9 = 2's, we know that 

ord,%q | (2* — 24), 
which means that 

x22! =] (mod n), 


which in turn tells us that 

x = x2 (mod n). 
This implies that x, = x;. We conclude that ord,2 must be a multiple of £, completing 
the proof. rT 


Example 10.4. In Example 10.3, we used the modulus n = 209 and the seed xp = 6 
in the square pseudorandom generator. We note that ord 996 = 90 (as the reader should 
verify). Because 90 = 2 - 45, Theorem 10.4 tells us that the period length of this generator 
is ord4s52 = 12 (as the reader should verify). This is the length we observed when we listed 
the terms generated. < 


How can we tell whether the terms of a sequence of pseudorandom numbers are 
useful for computer simulations and other applications? One method is to see whether 
these numbers pass statistical tests designed to determine whether a sequence has par- 
ticular characteristics that a truly random sequence would most likely have. A battery of 
such tests can be used to evaluate pseudorandom number generators. For example, the 
frequencies of numbers can be tested, as can the frequencies of pairs of numbers. The 
frequencies of the appearance of subsequences can be checked, as can the frequency of 
runs of the same number of various lengths. An autocorrelation test that checks whether 
there are correlations of the sequence and shifted versions of it may also be helpful. 
These and other tests are discussed in [Kn97] and [MevaVa97]. 


For cryptographic applications, pseudorandom number generators must not be pre- 
dictable. For example, a linear congruential pseudorandom number generator cannot be 
used for cryptographic applications, because, in sequences generated this way, knowl- 
edge of several consecutive terms can be used to find other terms. Instead, cryptograph- 
ically secure pseudorandom number generators must be used. These produce sequences 
such that the terms of the sequence are unpredictable to an adversary with limited compu- 
tational resources. These notions are made more precise in [MevaVa97], and in [La90]. 


We have only briefly touched upon the subject of pseudorandom numbers. For 
a thorough discussion of pseudorandom numbers, see [Kn97], and for a survey of 
the relationships between pseudorandom number generators and cryptography, see the 
chapter by Lagarias in [Po90]. 


400 
10.1 
1 
2 
3 
4 
5 
* 6 


14. 


Applications of Primitive Roots and the Order of an Integer 


EXERCISES 


. Find the sequence of two-digit pseudorandom numbers generated using the middle-square 


method, taking 69 as the seed. 


. Find the first ten terms of the sequence of pseudorandom numbers generated by the linear 


congruential method with xp = 6 and x,,, ; = 5x, + 2 (mod 19). What is the period length of 
this generator? 


. Find the period length of the sequence of pseudorandom numbers generated by the linear 


congruential method with xp = 2 and x,,,, = 4x, +7 (mod 25). 


. Show that if either a = 0 or a = 1 is used for the multiplier in the linear congruential method, 


the result would not be a good choice for a sequence of pseudorandom numbers. 


. Using Theorem 10.2, find those integers a that give period length m, where (c, m) = 1, for 


the linear congruential generator x, ,, = ax, +c (mod m), for each of the following moduli. 
a) m = 1000 b) m =30030 c)m=10°-—1 d)m=2% -1 


. Show that every linear congruential pseudorandom number generator can be simply expressed 


in terms of a linear congruential generator with increment c = 1 and seed 0, by showing that 
the terms generated by the linear congruential generator x,,,; = ax, +c (mod m), with seed 
Xo, can be expressed as x, =D - y, + Xp (mod m), where b = (a — 1)xg + c (modm), yo = 0, 
and y,4, = ay, + 1 (mod m). 


. Find the period length of the pure multiplicative pseudorandom number generator x, = cx,_1 
(mod 23! — 1) for each of the following multipliers c. 
a) 2 c)4 e) 13 
b)3 d) 5 f) 17 


. Show that the maximal possible period length for a pure multiplicative generator of the form 


Xn41 = ax, (mod 2°), e > 3, is 2°-*. Show that this is obtained when a = +3 (mod 8). 


. Find the sequence of numbers generated by the square pseudorandom number generator with 


modulus 77 and seed 8. 


. Find the sequence of numbers generated by the square pseudorandom number generator with 


modulus 1001 and seed 5. 


. Use Theorem 10.4 to find the period length of the pseudorandom sequence in Exercise 9. 
. Use Theorem 10.4 to find the period length of the pseudorandom sequence in Exercise 10. 


. Show that longest possible period of any sequence of pseudorandom numbers generated by 


the square pseudorandom number generator with modulus 77, regardless of the seed chosen, 
is 4. 


What is the longest possible period of any sequence of pseudorandom numbers generated by 
the square pseudorandom number generator with modulus 989, regardless of the seed chosen? 


Another way to generate pseudorandom numbers is to use the Fibonacci generator. Let m be a 
positive integer. Two initial integers x9 and x,, both less than m, are specified, and the rest of the 
sequence is generated recursively by the congruence x,4) =X, +X,_, (mod m),0<x,,;<m. 


15. 


Find the first eight pseudorandom numbers generated by the Fibonacci generator with mod- 
ulus m = 31 and initial values x9 = 1 and x, = 24. 


16 


17. 


18. 


19. 


20. 


21. 
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Find a good choice for the multiplier a in the pure multiplicative pseudorandom number 
generator x, = ax, (mod 101). (Hint: Find a primitive root of 101 that is not too small.) 


Find a good choice for the multiplier a in the pure multiplicative pseudorandom number 
generator x, = ax,_, (mod 2” — 1). (Hint: Find a primitive root of 27> — 1 and then take an 
appropriate power of this root.) 


Find the multiplier a and increment c of the linear congruential pseudorandom number 
generator x,,,; = ax, +c (mod 1003), 0 < x,,, < 1003, if x9 = 1, x. = 402, and x3 = 361. 


Find the multiplier a of the pure multiplicative pseudorandom number generator x,,, | = ax, 
(mod 1000), 0 < x,.; < 1000, if 313 and 145 are consecutive terms generated. 


The discrete exponential generator takes a positive integer xg as its seed and generates 
pseudorandom numbers xj, x2, x3,... using the recursive definition x,,, = 9" (mod p), 
0 <X,41< p, forn=O0, 1,2,..., where p is an odd prime and g is a primitive root 
modulo p. 


a) Find the sequence of pseudorandom numbers generated by the discrete exponential gen- 
erator with p = 17, g = 3, and xp = 2. 

b) Find the sequence of pseudorandom numbers generated by the discrete exponential gen- 
erator with p = 47, g =5, and xp = 3. 

c) Given a term of a sequence of pseudorandom numbers generated by using a discrete 
exponential generator, can the previous term be found easily when the prime p and 
primitive root g are known? 


Another method of generating pseudorandom numbers is to use the power generator with 

parameters m, d. Here, m is a positive integer and d is a positive integer relatively prime to 

¢(m). The generator starts with a positive integer xp as its seed and generates pseudorandom 

numbers x;, X2, x3, ... using the recursive definition x,,,, = a (mod m), 0 < x,41 <™m. 

a) Find the sequence of pseudorandom numbers generated by a power generator with m = 
15, d = 3, and seed xo = 2. 

b) Find the sequence of pseudorandom numbers generated by a power generator with m = 
23, d = 3, and seed xo = 3. 


Computations and Explorations 


1. 


Examine the behavior of the sequence of five-digit pseudorandom numbers produced by the 
middle-square method, starting with different choices of the initial term. 


. Find the period length of different linear congruential pseudorandom generators of your 


choice. 


. How long is the period of the linear congruential pseudorandom number generator with 


a = 65,539, c = 0, and m = 231? 


. How long is the period of the linear congruential pseudorandom number generator with 


a = 69,069, c=1, andm = 2327 


. Find a seed that produces the longest possible period length for the square pseudorandom 


number generator with modulus 2867. 


. Show that the square pseudorandom number generator with modulus 9,992,503 and seed 564 


has a period length of 924. 


402 


Applications of Primitive Roots and the Order of an Integer 


. Find the period length of different quadratic congruential pseudorandom number generators, 


that is, generators of the form x,., = (ax? + bx, +c) (mod m), 0 < x,,; < m, where a, b, 
and c are integers. Can you find conditions that guarantee that the period of this generator 
is m? 


. Determine the length of the period of the Fibonacci generator described in the preamble to 


Exercise 15 for various choices of the modulus m. Do you think this is a good generator of 
pseudorandom numbers? 


. There are a variety of empirical tests to measure the randomness of pseudorandom number 


generators. Ten such tests are described in Knuth [Kn97]. Look up these tests and apply some 
of them to different pseudorandom number generators. 


Programming Projects 


Nana mo ff WN - 


The middle-square generator 

The linear congruential generator 

The pure multiplicative generator 

The square generator 

The Fibonacci generator (see the preamble to Exercise 15) 
The discrete exponential generator (see Exercise 20) 


The power generator (see Exercise 21) 


10.2 The ElGamal Cryptosystem 


In Chapter 8, we introduced the RSA public key cryptosystem. The security of the RSA 
cryptosystem is based on the difficulty of factoring integers. In this section, we introduce 
another public key cryptosystem known as the ElGamal cryptosystem, invented by 
T. ElGamal in 1985. Its security is based on the difficulty of finding discrete logarithms 
modulo a large prime. (Recall that if p is a prime and r is a primitive root of p, the 
discrete logarithm of an integer a is the exponent x for which r* = a (mod p).) 


In the ElGamal cryptosystem, each person selects a prime p, a primitive root r of 
p, and an integer a with 0 < a < p — 1. This exponent is the private key, that is, it is the 
information kept secret by that person. The corresponding public key is (p, r, b), where 
b is the integer with 


b=r? (mod p),0<a<p-1. 


In the following example, we illustrate how keys for the ElGamal cryptosystem are 
selected. 


Example 10.5. To generate a public and private key for the El1Gamal cryptosystem, we 
first select a prime p. Here we will take p = 2539. (This four-digit prime is selected to 
illustrate how the cryptosystem works; in practice, a prime with several hundred digits 
should be used.) Next, we need a primitive root of this prime p. We select the primitive 
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root r = 2 of 2539 (as the reader should verify). Next, we choose an integer a with 
0 <a < 2538. We choose a = 14. This exponent a is the private key. The corresponding 
public key is the triple (p, 7, b) = (2539, 2, 1150), because b = 2/4 = 1150 (mod 2539). 

< 


Before we encrypt a message using the ElGamal cryptosystem, we will translate 
letters into their numerical equivalents and then form blocks of the largest possible size 
(with an even number of digits), as we did when we encrypted messages in Section 8.4 
using the RSA cryptosystem. (This is just one of many ways to translate messages made 
up of characters into integers.) To encrypt a message to be sent to the person with public 
key (p, r, b), we first select a random number k with 1 < k < p — 2. For each plaintext 
block P, we compute the integers y and 6 with 


y=r* (mod p), O<y<p-1 
and 
5=P-b' (mod p), O0<é6<p-l. 


The ciphertext corresponding to the plaintext block P is the ordered pair E(P) = (y, 4). 
The plaintext message P has been hidden by multiplying it by b* to produce 6. This 
hidden message is transmitted together with y. Only the person with the secret key a 
can compute b* and y, and use this to recover the original message. 


When messages are encrypted using the ElGamal cryptosystem, the ciphertext 
corresponding to a plaintext block is twice as long as the original plaintext block. We say 
that this encryption method has a message expansion factor of 2. The random number k 
is included in the encryption procedure to increase security in several ways that we will 
describe later in this section. 


Decrypting a message encrypted using ElGamal encryption depends on knowledge 
of a, the private key. The first step of the decryption of a ciphertext pair (y, 5) is to 
compute y*. This is done by computing y?—!~¢ modulo p. Then, the pair C = (y, 5) is 
decrypted by computing 


D(C) = y%6. 
To see that this recovers the plaintext message, note that 
D(C) = y%6 (mod p) 
= rka. ppk (mod p) 
= (Pb (mod p) 
= bk ppk (mod p) 


= bkpk P (mod p) 
= P (mod p). 


Example 10.6 illustrates encryption and decryption using the ElGamal cryptosystem. 
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Example 10.6. We will encrypt the message 
PUBLIC KEY CRYPTOGRAPHY 


using the ElGamal cryptosystem with the public key we constructed in Example 10. 
In Example 8.16, we encrypted this same message using the RSA cryptosystem. We 
translated the letters into their numerical equivalents and then grouped numbers into 
blocks of four decimal digits. We can use this same grouping here because the largest 
possible block is 2525. The blocks we obtained were 


1520 0111 0802 1004 
2402 1724 1519 1406 
1700 1507 2423, 


where the dummy letter X is translated into 23 at the end of the passage to fill out the 
final block. < 


To encrypt these blocks, we first select a random number k with 1 < k < 2537 (we 
will use the same k for each block here; in practice, a different number k is chosen 
for each block to ensure a higher level of security). Picking k = 1443, we encrypt each 
plaintext block P in a ciphertext block, using the relationship E(C) = (y, 5), with 


y = 2! = 2141 (mod 2539) 
and 


& = P- 1150!*43 (mod 2539), 0<6 < 2538. 


For example, the first block is encrypted to (2141, 216), because 
y =2!3 = 2141 (mod 2539) 
and 
6 = 1520- 1150!*43 = 216 (mod 2539). 


When we encrypt each block, we obtain the following ciphertext message: 


(2141, 0216) (2141, 1312) (2141, 1771) (2141, 1185) 
(2141, 2132) (2141, 1177) (2141, 1938) (2141, 2231) 
(2141, 1177) (2141, 1938) (2141, 1694). 


To decrypt a ciphertext block, we compute 


D(C) = y48 (mod 2539). 


For example, to decrypt the second ciphertext block (2141, 1312), we compute 
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D((2141, 1312)) = 2141" . 1312 


= 1430-1312 
= 2452 - 1312 
= 111 (mod 2539). 


We have used the fact that 2452 is an inverse of 1430 modulo 2539. This inverse can 
be found using the extended Euclidean algorithm, as the reader should verify. (We have 
also used the fact that 2141!4 = 1430 (mod 2539).) 


As mentioned, the security of the ElGamal cryptosystem is based on the difficulty 
of determining the private key a from the public key (p, 7, b), an instance of the 
discrete logarithm problem, a computationally difficult problem described in Section 9.4. 
Breaking the ElGamal encryption method requires the recovery of a message P given 
the public key (p, 7, b) together with the encrypted message (y, 5) without knowledge 
of the private key a. Although there may be another way to do this other than solving a 
discrete logarithm problem, it is widely thought that this is a computationally difficult 
problem. 


Signing Messages in the ElGamal Cryptosystem 


We will describe a procedure invented by T. ElGamal in 1985 for signing messages using 
the ElGamal cryptosystem. Suppose that a person’s public key is (p, r, b) and his private 
key is a, so that b=r® (mod p). To sign a message P, the person with private key a 
does the following: First, he selects an integer k with (k, p — 1) = 1. Next, he computes 
y, where 


y=r* (mod p), 0<y<p-1 
and 
s =(P —ay)k (mod p— 1), 0<s<p-—z2. 


The signature on the message P is the pair (y, s). Note that this signature depends on the 
value of the random integer k and can only be computed with knowledge of the private 
key a. 


To see that this is a valid signature scheme, note that we now the public key (p, 7, b), 
hence we can verify that the message came from the person who supposedly sent it. To 
do this, we compute 


V,=y*b” (mod p), 0<Vi<p-1 
and 
V> =r? (mod p), 0<V,<p-l. 


For this signature to be valid, we must have V; = Vp. If the signature is valid, then 
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V, = y*b’ (mod p) 
= yP-kbY (mod p) 
= (v*)?-47bY (mod p) 
= rP-4Y)bY (mod p) 
=r?r27bY (mod p) 
=r? bYb’ (mod p) 
=r? (mod P) 
= Vp. 

A different integer k should be chosen to sign each message in the ElGamal signature 
scheme. If the same integer k is chosen for two signatures, it can be found from these 
signatures, malsng it possible to find the private key a (see Exercise 8). Another concern 
is whether someone could forge a signature on a message P by selecting an integer k 
and computing y = r* (mod p) using the public key ( p,r, b). Tocomplete the signature, 
this person also would have to compute s = (P — ay)k (mod p — 1). She cannot easily 
find a, because computing a from b requires that a discrete logarithm be found, namely, 
the discrete logarithm of b with respect to r modulo p. Not knowing a, a person could 


select a value of s at random. The probability that this would work is only 1/p, which is 
close to zero when p is large. 


Example 10.7 illustrates how a message is signed using the ElGamal signature 
scheme. 


Example 10.7. Suppose that a person has a public ElGamal key of (p,r, b) = 
(2539, 2, 1150) with corresponding private EIGamal key a = 14. To sign the plain- 
text message P = 111, they first choose the integer k = 457, selected at random with 
1< k < 2538 and (k, 2538) = 1. Note that 457 = 2227 (mod 2538). < 
The signature of this plaintext message 111 is found by computing 
y = 27 = 1079 (mod 2539) 
and 


s = (111 — 14- 1079) - 2227 = 1139 (mod 2538). 


Anyone who has this signature (1079, 1139) and the message 111 can verify that the 
signature is valid by computing 


11501979 10791199 = 1158 (mod 2539) 
and 
2111 — 1158 (mod 2539). 


The ElGamal signature scheme has been modified to create another signature 
scheme that is widely used, known as the Digital Signature Algorithm (DSA). The DSA 
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was incorporated in 1994 as a U.S. government standard, Federal Information Process- 
ing Standard (FIPS) 186, commonly known as the Digital Signature Standard. To learn 
how the ElGamal signature scheme was modified to produce the DSA, consult [St05] 
and [MevaVa97]. 


EXERCISES 


. Encrypt the message HAPPY BIRTHDAY using the El]Gamal cryptosystem with the public 


key (p, r, b) = (2551, 6, 33). Show how the resulting ciphertext can be decrypted using the 
private key a = 13. 


. Encrypt the message DO NOT PASS GO using the ElGamal cryptosystem with the public 


key (2591, 7, 591). Show how the resulting ciphertext can be decrypted using the private key 
a = 99. 


. Decrypt the message (2161, 660), (2161, 1284), (2161, 1467) encrypted using the ElGamal 


cryptosystem with public key (2713, 5, 193) corresponding to the private key 17. 


. Decrypt the message (1061, 2185), (1061, 733), (1061, 1096) encrypted using the ElGamal 


cryptosystem with public key (2677, 2, 1410) corresponding to the private key 133. 


. Find the signature produced by the ElGamal signature scheme for the plaintext message 


P = 823 with public key (p, r, b) = (2657, 3, 801), private key a = 211, and where the integer 
k = 101 is selected to construct the signature. Show how this signature is verified. 


. Find the signature produced by the ElGamal signature scheme for the plaintext message 


P = 2525 with public key (p, r, b) = (2543, 5, 1615), private key a = 99, and where the 
integer k = 257 is selected to construct the signature. Show how this signature is verified. 


. Show that if the same random number k is used to encrypt two plaintext messages P, and P, 


using ElGamal encryption, then P, can be found once the plaintext message P, is known. 


. Show that if the same integer k is used to sign two different messages using the El]Gamal 


signature scheme, producing signatures (j,, s,) and (72, 52), the integer k can be found from 
these signatures as long as s,; # s> (mod p — 1). Show that once k has been found, the private 
key a is easily found. 


Computations and Explorations 


1. 


Construct a private key, public key pair for the ElGamal cryptosystem for each member of 
your class. Put together a directory of the public keys. 


. For each member of your class, encrypt a message using the ElGamal cryptosystem using 


the public keys published in the directory. 


. Decrypt the messages sent to you by your classmates that were encrypted using your ElGamal 


public key. 


Programming Projects 


1. 


Encrypt messages using an ElGamal cryptosystem. 


2. Decrypt messages that were encrypted using an ElGamal cryptosystem. 


3. Sign messages using the ElGamal cryptosystem. 


408 


10.3 


Applications of Primitive Roots and the Order of an Integer 


An Application to the Splicing of Telephone Cables 


An interesting application of the preceding material involves the splicing of telephone 
cables. We base our discussion on the explosion in [Or88], relating the contents of an 
original article by Lawther [La35], reporting on work done for the Southwestern Bell 
Telephone Company. 


To develop the application, we first make the following definition. 


Definition. Let m be a positive integer and let a be an integer relatively prime to m. 
The +1-exponent of a modulo m is the smallest positive integer x such that 


a* =+1 (mod m). 
We are interested in determining the largest possible +1-exponent of an integer 


modulo m; we denote this by Ag(m). The following two theorems relate the value of the 
maximal +1-exponent Ag(m) to A(m), the minimal universal exponent modulo m. 


First, we consider positive integers that possess primitive roots. 


Theorem 10.5. Ifm isapositive integer, m > 2, with a primitive root, then the maximal 
+1-exponent Ap(m) equals ¢(m)/2 = A(m)/2. 


Proof. We first note that if m has a primitive root, then A(m) = @(m). By Theorem 7.6, 
we know that @(m) is even, so that #(m) /2 is an integer, if m > 2. Euler’s theorem tells 
us that 


a?™) — (q?™)/2)2 — | (mod m), 


for all integers a with (a, m) = 1. By Exercise 13 of Section 9.3, we know that when m 
has a primitive root, the only solutions of x* = 1(mod m) are x = +1 (mod m). Hence, 


a?™/2 — +1 (mod m). 
This implies that 
Ag(m) < (m)/2. 


Now, let r be a primitive root of modulo m with +1-exponent e. Then 
r° =+1(modm), 
so that 
r2° =1(modm). 


Because ord,,r = @(m), Theorem 9.1 tells us that @(m) | 2e, or, equivalently, that 
(@(m)/2) | e. Hence, the maximum +1-exponent Ap(m) is at least #(m)/2. However, 
we know that A(m) < @(m)/2. Consequently, Ap(m) = @(m)/2 = A(m) /2. = 


We now will find the maximal +1-exponent of integers without primitive roots. 
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Theorem 10.6. If m is a positive integer without a primitive root, then the maximal 
+1-exponent Ag(m) equals A(m), the minimal universal exponent of m. 


Proof. We first show that if a is an integer of order A(m) modulo m with +1-exponent 
e such that 


a*(™)/2 % _1 (mod m), 


then e = A(m). Consequently, once we have found such an integer a, we will have shown 
that Ap(m) = A(m). 


Assume that a is an integer of order A(m) modulo m with +1-exponent e such that 


ah (™)/2 & _1 (mod m). 


Because a® = +1 (mod m), it follows that a2’ = 1 (mod m). By Theorem 9.1, we know 


that A(m) | 2e. Because A(m) | 2e and e < A(m), either e = A(m)/2 or e=A(m). To 
see that e #A(m)/2, note that a® = +1 (mod m), but qh(m)/2 ~ 1 (mod m), because 
ord,,@ = A(m), and qh (m)/2 # —1 (mod m), by hypothesis. Therefore, we can conclude 
that if ord,,a = A(m), a has +1-exponent e, and a® = —1 (mod m), then e = A(m). 

We now find an integer a with the desired properties. Let the prime-power factor- 


A F tt t 7 
ization of m be m = 20p,'p, - - - ps’. We consider several cases. 


We first consider those m with at least two different odd prime factors. Among the 
prime powers p;! dividing m, let p} be one with the smallest power of 2 dividing ¢( p; ). 
Let 7; be a primitive root of p;i fori = 1, 2,..., 5. Let a be an integer satisfying the 
simultaneous congruences 

a = 3 (mod 2"), 
a=r; (mod p;') for alli withi # j, 


a2 Z 
a=r (mod Pj Ne 
Such an integer a is guaranteed to exist by the Chinese remainder theorem. Note that 
t; 
ord, = [A(2), 6(p2), ...,9(p})/2,---, O(PE)I, 


and, by our choice of p; , we know that this least common multiple equals A(m). 


tj ¢(p2) 
Because a = r’ (mod pi ), it follows that gh Pi? j /- =1 (mod p: ). Because 


$(p3)/2 | A(m)/2, we know that 


a*™)/2 = 1 (mod Pp? ); 
so that 
qh (m)/2 # —1(modm). 


Consequently, the +1-exponent of a is A(m). 
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The next case that we consider deals with integers of the form m = 2 p"!, where p 
is an odd prime, t; > 1 and to > 2, because m has no primitive roots. When f) = 2 or 3, 
we have 


A(m) = [2, $(p})1 = o(p}). 
Let a be a solution of the simultaneous congruences 
= | (mod 4) 

a =r (mod p’'), 

where r is a primitive root of ( p))- We see that ord,,a = A(m). Because 
q*™)/2 = 1 (mod 4), 
we know that 
ah™)/2 & _1 (mod m). 
Consequently, the +1-exponent of a is A(m). 
When fy < 4, let a be a solution of the simultaneous congruences 
a = 3 (mod 2°) 
a=r (mod p}'); 


the Chinese remainder theorem tells us that such an integer exists. We see that ord,,a = 
A(m). Because 4 | 1.(2’), we know that 4 | A(m). Hence, 


qghlm)/2 = 3h0m)/2 = (32) Mm)/4 = 1 (mod 8). 
Thus, 
qh™)/2 4 _1 (mod m), 
so that the +1-exponent of a is A(m). 


Finally, when m = 2° with tg > 3, we know from Theorem 9.12 that ord,,5 = A(m), 
but 


Sim) /2 = (5?yMm)/4 = 1 (mod 8). 
Therefore, we see that 
5hm)/2 % _1 (mod m); 
we conclude that the +1-exponent of 5 is A(m). 


This finishes the argument, because we have dealt with all cases where m does not 
have a primitive root. rT 


We now develop a system for splicing telephone cables. Telephone cables are made 
up of concentric layers of insulated copper wire, as illustrated in Figure 10.1, and are 
produced in sections of specified length. 
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Figure 10.1 A cross-section of one layer of a telephone cable. 


Telephone lines are constructed by splicing together sections of cable. When two 
wires are adjacent in the same layer in multiple sections of the cable, there are often 
problems with interference and crosstalk. Consequently, two wires adjacent in the same 
layer in one section should not be adjacent in the same layer in any nearby sections. For 
practical purposes, the splicing system should be simple. We use the following rules to 
describe the system: Wires in concentric layers are spliced to wires in the corresponding 
layers of the next section, following the identical splicing direction at each connection. In 
a layer with m wires, we connect the wire in position j in one section, where / < j <m, 
to the wire in position S(/) in the next section, where S(/) is the least positive residue 
of 1+ (j — l)s modulo m. Here, s is called the spread of the splicing system. We see 
that when a wire in one section is spliced to a wire in the next section, the adjacent wire 
in the first section is spliced to the wire in the next section in the position obtained by 
counting forward s modulo m from the position of the last wire spliced in this section. To 
have a one-to-one correspondence between wires of adjacent sections, we require that 
the spread s be relatively prime to the number of wires m. This shows that if wires in 
positions j and k are sent to the same wire in the next section, then S(j) = S(k) and 


1+ G — Ds =1+4+ (k — Ds (mod m), 


so that js =ks (mod m). Because (m, s) = 1, from Corollary 4.4.1 we see that j =k 
(mod m), which is impossible. 


Example 10.8. Let us connect nine wires with a spread of 2. We have the correspon- 
dence 


1> 1 2—>3 3-5 
4>7 5-9 6—>2 
1-4 8—> 6 9 > 8, 


as illustrated in Figure 10.2. < 
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Figure 10.2 Splicing of nine wires with a spread of 2. 


The following result tells us the correspondence of wires in the first section of cable 
to the wires in the nth section. 


Theorem 10.7. Let S,,(j) denote the position of the wire in the nth section spliced to 
the jth wire of the first section. Then 


S,(j) = 1+ G — 1s"! (mod m). 
Proof. Forn = 2, by the rules for the splicing system, we have 
So(j) = 1+ G — Is (mod m), 
so the proposition is true for n = 2. Now assume that 
S,(j) =1+ Gj — 1)s""! (mod m). 


Then, in the next section, we have the wire in position S,(j) spliced to the wire in 


position. 
SntiG) = 1+ (S,(7) — Ds 
=1+((j-1)s""')s 
=1+(j —1)s”" (mod m). 
This shows that the proposition is true. 7 


In the splicing system, we want to have wires adjacent in one section separated as 
long as possible in the following sections. Theorem 10.7 tells us that after 1 splices, 
the adjacent wires in the jth and (j + 1)th positions are connected to wires in positions 
S,(j) =1+ G — Ds” (mod m) and S,(j + 1) = 1+ js” (mod m), respectively. These 
wires are adjacent in the nth section if, and only if, 


Sn QZ) — Sn(j + 1) = £1 (mod m), 
or, equivalently, 


(1+ G — Ds”) — (1+ js”) = +1 (mod m), 
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which holds if and only if 
s” =+1 (mod m). 

We can now apply the material at the beginning of this section. To keep wires that 
are adjacent in the first section separated as long as possible thereafter, we should pick 
for the spread s an integer with maximal + 1-exponent Ag(m). 

Example 10.9. With 100 wires, we should choose a spread s so that the +1-exponent 


of s is Ag(100) = A(100) = 20. The appropriate computations show that s = 3 is sucha 
spread. < 


10.3. EXERCISES 


1. Find the maximal +1-exponent of each of the following positive integers. 


a) 17 c) 24 e) 99 
b) 22 d) 36 f) 100 

2. Find an integer with maximal +1-exponent modulo each of the following positive integers. 
a) 13 c) 15 e) 36 
b) 14 d) 25 f) 60 

3. Devise a splicing scheme for telephone cables containing each of the following number of 
wires. 
a) 50 wires b) 76 wires c) 125 wires 


* 4, Show that using any splicing system of telephone cables with m wires arranged in a concentric 
layer, adjacent wires in one section can be kept separated in at most [(m — 1)/2] successive 
sections of cable. Show that when m is prime, this upper limit is achieved using the system 
developed in this section. 


Computations and Explorations 


1. Find the maximal +1-exponent of each positive integer less than 1000. 


Programming Projects 


1. Given an integer m, find the maximal +1-exponent of m. 


2. Develop a scheme for splicing telephone cables as described in this section. 
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1 1 Quadratic Residues 


VWvi= is an integer a a perfect square modulo a prime p? The work of the great 
number theorists Euler, Legendre, and Gauss on this and related questions led to 
the development of much of modern number theory. In this chapter, we develop results, 
both old and new, created in the study of such questions. We first define the concept of a 
quadratic residue, an integer a that is a square modulo p, and establish basic properties 
of quadratic residues. We introduce the Legendre symbol, a notation that tells us whether 
an integer is a quadratic residue of p, and develop its basic properties. We state and prove 
two important criteria, discovered by Euler and by Gauss, for determining whether a is 
a quadratic residue modulo p, and use these criteria to determine whether —1 and 2 are 
quadratic residues of p. 


We also show that an integer that is a perfect square modulo pq, where p and q 
are primes, has exactly four incongruent square roots modulo pq. Modular square roots 
are used extensively in cryptography, such as in a protocol for fairly choosing a random 
bit (“flipping a coin electronically”). We will also illustrate (in the last section of the 
chapter) how modular square roots can be used in an interactive protocol to show that a 
person has some secret information, without revealing this information. 


Suppose that p and q are distinct odd primes. We can ask whether p is a square 
modulo qg and whether q is a square modulo p. Is there any relationship between the 
answers to these two questions? In this chapter, we will show that these answers are 
closely related in a way specified by the famous theorem called the law of quadratic 
reciprocity. This law was observed by Euler and Legendre, and ultimately proved by 
Gauss at the end of the eighteenth century. We will present one of the many proofs of 
this famous theorem, selected because it is one of the easiest to understand. The law of 
quadratic reciprocity has both theoretical and practical implications. We show how it can 
be used in computations and to prove useful results, such as Pepin’s test, which can be 
used to determine whether Fermat numbers are prime. 


The Legendre symbol, which tells us whether an integer is a quadratic residue mod- 
ulo p, can be generalized to the Jacobi symbol. We will establish the basic properties of 
Jacobi symbols and show that they satisfy a reciprocity law that is a consequence of the 
law of quadratic reciprocity. We show how Jacobi symbols can be used to simplify com- 
putations of Legendre symbols. We also use Jacobi symbols to introduce a particular type 
of pseudoprime, known as an Euler pseudoprime, which is an integer that masquerades 
as a prime by satisfying Euler’s criteria for quadratic residues. We will use this concept 
to develop a probabilistic primality test. 
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11.1 


Quadratic Residues 


Quadratic Residues and Nonresidues 


Let p be an odd prime and a an integer relatively prime to p. In this chapter, we devote 
our attention to the question: Is a a perfect square modulo p? We begin with a definition. 


Definition. If m is a positive integer, we say that an integer a is a quadratic residue of 
m if (a, m) = 1 and the congruence x* =a (mod m) has a solution. If the congruence 
x? =a (mod m) has no solution, we say that a is a quadratic nonresidue of m. 


Example 11.1. To determine which integers are quadratic residues of 11, we compute 
the squares of the integers 1, 2, 3, ..., 10. We find that 12 = 10* = 1 (mod 11), 27 = 
9% = 4 (mod 11), 3* = 8* = 9 (mod 11), 42 = 7* =5 (mod 11), and 5* = 6* = 3 (mod 
11). Hence, the quadratic residues of 11 are 1, 3, 4, 5, 9; the integers 2, 6, 7, 8, 10 are 
quadratic nonresidues of 11. < 


Note that the quadratic residues of the positive integer m are just the kth power 
residues of m with k = 2, as defined in Section 9.4. We will show that if p is an odd 
prime, then there are exactly as many quadratic residues as quadratic nonresidues of 
p among the integers 1, 2,..., p — 1. To demonstrate this fact, we use the following 
lemma. 


Lemma 11.1. Let p be an odd prime and a an integer not divisible by p. Then, the 
congruence 


x* =a (mod P) 
has either no solutions or exactly two incongruent solutions modulo p. 


Proof. If x* =a (mod p) has a solution, say, x = xg, then we can easily demonstrate 
that x = —xp is a second incongruent solution. Because (—x9)? a XA =a (mod p), we 
see that —xg is a solution. We note that xy # —xg (mod p), for if x9 = —xg (mod p), 
then we have 2x9 = 0 (mod p). This is impossible by Lemma 3.5 because p is odd and 


DP X Xo. (We see that p J x9 by noting that a =a (mod p) and p / a.) 


To show that there are no more than two incongruent solutions, assume that x = xp 
and x = x, are both solutions of x? = a (mod p). Then we have x) = x? =a (mod p), 
so that x6 — xe = (Xp + x1) (Xp — X1) = 0 (mod p). Hence, p | (x9 + x1) or p | (Xp — }), 
so that x, = —Xx (mod p) or x; = Xp (mod p). Therefore, if there is a solution of x* =a 
(mod p), there are exactly two incongruent solutions. rT 


This leads us to the following theorem. 


Theorem 11.1. If pis anodd prime, then there are exactly (p — 1)/2 quadratic residues 


of p and (p — 1)/2 quadratic nonresidues of p among the integers 1, 2,..., p — 1. 

Proof. To find all the quadratic residues of p among the integers 1, 2,..., p — 1, we 

compute the least positive residues modulo p of the squares of the integers 1, 2,..., p — 
sen 


1. Because there are p — 1 squares to consider, and because each congruence x“ = a (mod 
p) has either zero or two solutions, there must be exactly (p — 1)/2 quadratic residues of 
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p among the integers 1, 2,..., p — 1. The remaining p — 1— (p — 1)/2=(p—1)/2 
positive integers less than p — 1 are quadratic nonresidues of p. = 


Primitive roots and indices, studied in Chapter 9, provide an alternative method for 
proving results about quadratic residues. 


Theorem 11.2. Let p be a prime and let r be a primitive root of p. If a is an integer 
not divisible by p, then a is a quadratic residue of p if ind,a is even, and a is a quadratic 
nonresidue of p if ind,a is odd. 


Proof. Suppose that ind,a is even. Then (ri™4,2/2)2 = @ (mod p), which shows that a 
is a quadratic residue of p. Now suppose that a is a quadratic residue of p. Then there 
exists an integer x such that x? = a (mod p). It follows that ind,x? = ind,a. By Part (iii) 
of Theorem 9.16, it follows that 2 - ind.x = ind,a (mod ¢(p)), so ind,a is even. We have 
shown that a is a quadratic residue of p if and only if ind,a is even. It follows that a is 
a quadratic nonresidue of p if and only if ind,a is odd. = 


Note that by Theorem 11.2, every primitive root of an odd prime p is a quadratic 
nonresidue of p. 


We illustrate how the relationship between primitive roots and indices and quadratic 
residues can be used to prove results about quadratic residues by giving an alternative 
proof of Theorem 11.1. 


Proof. Let p be an odd prime with primitive root r. By Theorem 11.2, the quadratic 
residues of p among the integers 1, 2,..., p — 1 are those with even index to the base 
r. It follows that the quadratic residue of p in this set are the least positive residues of 
r*, where k is an even integer with 1 < k < p — 1. The result follows because there are 
exactly (p — 1)/2 such integers. = 


The special notation associated with quadratic residues is described in the following 
definition. 


Definition. Let p be an odd prime and a be an integer not divisible by p. The Legendre 
symbol (4) is defined by 


a\_ 1 ifais a quadratic residue of p; 
~ | -—1  ifa is aquadratic nonresidue of p. 


This symbol is named after the French mathematician Adrien-Marie Legendre, who 
introduced the use of this notation. 


Example 11.2. The previous example shows that the Legendre symbols (4), a = 
1, 2,..., 10, have the following values: 


(3) =(3)=(8)-()-()-* 
G)-)-@)-@)-Q-+ 
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We now present a criterion for deciding whether an integer is a quadratic residue of 
a prime. This criterion is useful in demonstrating properties of the Legendre symbol. 


Theorem 11.3. Euler’s Criterion. Let p be an odd prime and let a be an integer not 
divisible by p. Then 


(2) = a?-)? (mod p). 
P 


Proof. First, assume that 7) = 1. Then, the congruence x? = a (mod p)has a solution, 
say x = Xp. Using Fermat’s little theorem, we see that 


g(P-/2 — (x2)P-M) — xf" = 1 (mod p). 
Hence, if (z) = 1, we know that (2) = a(p—/2 (mod p). 


Now consider the case where a) = —1. Then the congruence x? = a (mod p) has 


no solutions. By Corollary 4.11.1, for each integer i with (i, p) = 1 there is an integer 
j such that ij = a (mod p). Furthermore, because the congruence x? = a (mod p) has 
no solutions, we know that i # j. Thus, we can group the integers 1,2, ..., p — 1 into 
(p — 1)/2 pairs, each with product a. Multiplying these pairs together, we find that 


(p — 1)!=a-? (mod p). 
Because Wilson’s theorem tells us that (p — 1)! = —1 (mod p), we see that 
—1=a-? (mod Pp). 
In this case, we also have (z) = q'?—)/2 (mod p). : 


Example 11.3. Let p = 23 and a = 5. Because 5!! = —1 (mod 23), Buler’s criterion 
tells us that (3) = —l1. Hence, 5 is a quadratic nonresidue of 23. < 


We now prove some properties of the Legendre symbol. 


for more than 100 years and served as a model for other textbooks. Legendre made fundamental 
discoveries in mathematical astronomy and geodesy, and gave the first treatment of the law of least 
squares. 


ADRIEN-MARIE LEGENDRE (1752-1833) was bom into a well-to-do fam- 
ily. He was a professor at the Ecole Militaire in Paris from 1775 to 1780. In 
1795, he was appointed professor at the Ecole Normale. His memoir Recherches 
d’Analyse Indeterminée, published in 1785, contains a discussion of the law of 
quadratic reciprocity, a statement of Dirichlet’s theorem on primes in arithmetic 
progressions, and a discussion of the representation of positive integers as the 
sum of three squares. He established the n = 5 case of Fermat’s last theorem. 
Legendre wrote a textbook on geometry, Eléments de géométrie, that was used 
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Theorem 11.4. Let p be an odd prime and a and b be integers not divisible by p. Then 
(i) ifa=b (mod p), then (4) = (4); 
+: b\ _ fab\. 
@ (5)(6)=(4) 
ee i) ee 
(ii1) (=) =1) 
Proof of (i). Ifa =b (mod p), then x* =a (mod p) has a solution if and only if v= 


(mod p) has a solution. Hence (2 =(5)- 


Proof of (ii). By Euler’s criterion, we know that 


(<) =a'?-/? (mod p), (2) = b'?-})/? (mod p), 
Pp Pp 


and 


(2) = (ab)'?—)/2 (mod p). 
Pp 


Hence, 


(<) ( b ) = q\P—D/4p(P-D/2 = (gp) PD? = @ (indie). 
p)\p p 


Because the only possible values of a Legendre symbol are +1, we conclude that 


GG) 


Proof of (iii). Because (2) = +1, from part (ii) it follows that 


3 
Gaolee 
p P/\P 
Part (ii) of Theorem 11.4 has the following interesting consequence. The product of 
two quadratic residues, or of two quadratic nonresidues, of a prime is a quadratic residue 


of that prime, whereas the product of a quadratic residue and a quadratic nonresidue of 
a prime is a quadratic nonresidue. 


Relatively simple proofs of Theorems 11.3 and 11.4 can be constructed using the 
concepts of primitive roots and indices, together with Theorem 11.2. (See Exercises 30 
and 31 at the end of this section.) 


When is -1 a Quadratic Residue of the Prime p? 


For which odd primes not exceeding 20 is — 1 a quadratic residue? Because 2” = —1 (mod 
5), 52 = —1 (mod 13), and 4 = —1 (mod 17), we see that —lisa quadratic residue of 5, 
13, and 17. However, it is easy to see (as the reader should verify) that the congruence 
x?7=-1 (mod p) has no solution when p = 3, 7, 11, and 19. This evidence leads to the 
conjecture that —1 is a quadratic residue of the prime p if and only if p = 1 (mod 4). 
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Using Euler’s criterion, we can prove this conjecture. 


Theorem 11.5. If p is an odd prime, then 
ee 1 if p=1(mod 4); 
p/) |-1 ifp=-—1(mod 4). 


Proof. By Euler’s criterion, we know that 


(=) = (-1)?-)/ (mod p). 
Pp 


If p = 1 (mod 4), then p = 4k + 1 for some positive integer k. Thus, 
(—De-d? = (-* =1, 


so that (+) = 1. If p=3 (mod 4), then p = 4k + 3 for some positive integer k. Thus, 
(= pe-d/2 es (- 1)2*+1 a =] 


so that ($+) =-l. | 


Gauss’s Lemma 


The following elegant result of Gauss provides another criterion to determine whether 
an integer a relatively prime to the prime p is a quadratic residue of p. 


Lemma 11.2. Gauss’s Lemma. Let p be an odd prime and a an integer with (a, p) = 
1. If s is the number of least positive residues of the integers a, 2a, 3a,..., ((p — 1)/2)a 


that are greater than p/2, then (2) = (-1)*. 


Proof. Consider the integers a, 2a, ..., ((p — 1)/2)a. Let uy, uz, ..., us be the least 
positive residues of those that are greater than p/2, and let vj, v2, ..., v, be the least 
positive residues of those integers that are less than p/2. Because (ja, p) = 1 for all j 
with 1 < j < (p — 1)/2, these least positive residues are in the set 1, 2,..., p — 1. 


We will show that p — uj, p— U2, ..., DP — Ug, Vy, Vz, ..., UV, comprise the set of 
integers 1, 2,..., (p — 1)/2, in some order. To see this, we need only show that no two 
of these integers are congruent modulo p, because there are exactly (p — 1)/2 numbers 
in the set and all are positive integers not exceeding (p — 1)/2. 


Clearly, no two of the u; are congruent modulo p and no two of the v; are congruent 
modulo p; if a congruence of either of these two sorts held, we would have ma = na 
(mod p), where m and n are both positive integers not exceeding (p — 1)/2. Because 


Pp J a, this would imply that m =n (mod p), which is impossible. 


In addition, one of the integers p — u; cannot be congruent to a v,, for if such a 
congruence held, we would have ma = p — na (mod p), so that ma = —na (mod p). 
Because p / a, this would imply that m = —n (mod p), which is impossible because 
both m and n are in the set 1, 2,..., (p — 1)/2. 
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Now that we know that p — u,, p— ua, ..., DP — Uy, Vj, V2, ..-, UV; are the integers 
1,2, ..., (p — 1)/2, in some order, we conclude that 


—1 
(p — uy) (p — up) +++ (p — Us) VyVQ +++ YY = (2): 


2 
which implies that 
Ry Pp— 1 
(11.1) (—Diuylg- ++ Uv. +--+, = ae ! (mod p). 
But, because uj, U2, ..., Us, Vj, V2, ---, U, are the least positive residues of a, 2a,..., 


((p — 1)/2)a we also know that 


Ujly - + UsVjV2---¥, =a-2a---((p—1)/2))a 
(11.2) pal 
=a * ((p—1)/2)! (mod p). 
Hence, from (11.1) and (11.2), we see that 


p-1 
(—1)%a * ((p — 1)/2)!= ((p — 1)/2)! (mod p). 
Because (p, ((p — 1)/2)!) = 1, this congruence implies that 


(-1)'a7= = 1 (mod p). 
By multiplying both sides by (— 1)’, we obtain 


-1 
at = (—1)* (mod p). 
-1 
Because Euler’s criterion tells us that a2 = (2) (mod p), it follows that 


a 


(<) = (—1)* (mod p), 
Pp 


establishing Gauss’s lemma. : 


Example 11.4. Let a =5 and p = 11. To find (4 by Gauss’s lemma, we compute 
the least positive residues of 1-5, 2-5, 3-5, 4-5, and 5-5. These are 5, 10, 4, 9, and 
3, respectively. Because exactly two of these are greater than 11/2, Gauss’s lemma tells 
us that ($-) = (-1? = 1. < 


When is 2 a Quadratic Residue of a Prime p? 


For which odd primes not exceeding 50 is 2 aquadratic residue? Because 37 = 2 (mod_7), 
6% = 2 (mod 17), 5? = 2 (mod 23), 8% = 2 (mod 31), 17 = 2 (mod 41), and 7” = 2 (mod 
47), we see that 2 is a quadratic residue of 7, 17, 23, 31, 41, and 47. However, x?=2 
(mod p) has no solution when p = 3, 5, 11, 13, 19, 29, 37, and 43 (as the reader should 
verify). Is there a pattern to the primes p for which 2 is a quadratic residue modulo p? 
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Examining these primes and noting that whether 2 is a quadratic residue of p seems to 
depend on the congruence of p modulo 8, we conjecture that 2 is a quadratic residue of 
the odd prime p if and only if p = +1 (mod 8). Using Gauss’s lemma, we can prove this 
conjecture. 


Theorem 11.6. If p is an odd prime, then 


(2) = (—2-D/8, 
P 


Hence, 2 is a quadratic residue of all primes p = +1 (mod 8) and a quadratic nonresidue 
of all primes p = +3 (mod 8). 

Proof. By Gauss’s lemma, we know that if s is the number of least positive residues of 
the integers 


1-2, 222) 322, wecy (p= D/2)- 2 


that are greater than p/2, then (2) = (—1)*. Because all of these integers are less than p, 


we need only count those greater than p/2 to find how many have least positive residues 
greater than p/2. 


The integer 27, where 1 < j < (p — 1)/2, is less than p/2 when j < p/4. Hence, 
there are [p/4] integers in the set less than p/2. Consequently, there are s = (p — 1)/2 — 
[p/4] greater than p/2. Therefore, by Gauss’s lemma, we see that 


(2) = (—1) 22 1/41, 
Pp 


To prove the theorem, it is enough to show that for every odd integer p, 
p-l p? 


(11.3) aes [p/4]= — ! (mod 2). 


8 


Note that (11.3) holds for a positive integer p if and only if it holds for p + 8. This 
follows because 


| | = 
and 
(p +8) -1_ p= =p 
8 = - +2p+8= : (mod 2). 


Thus, we can conclude that (11.3) holds for every odd integer n if it holds for p = +1 
and +3. We leave it to the reader to verify that (11.3) holds for these four values of p. 


It follows that for every prime p, we have (2) = (1) ?-D/8, 


From the computations of the congruence class of (p* — 1)/8 (mod 2), we see that 
(2) = 1if p = +1 (mod 8), while (2) = —1if p =+3 (mod 8). 7 
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Example 11.5. By Theorem 11.6, we see that 


@)-(2)=(3)-(2)* 
2)-@)-@)-A-B-B 


We now present an example to show how to evaluate some Legendre symbols. 


whereas 


Example 11.6. To evaluate (37), we use parts (i), (i), and (iii) of Theorem 11.4 to 


obtain 
Goocala tr bes 
11 11 11 
because 317 = 9 (mod 11). 
To evaluate (8), because 89 = —2 (mod 13), we have 


Gea eco ey, 
13) \1i3/) \13/\13)° 
Because 13 = 1 (mod 4), Theorem 11.5 tells us that (+4) = 1. Because 13 = —3 (mod 
8), we see from Theorem 11.6 that (3) = —1. Consequently, (8) =-1. < 


In the next section, we will state and prove one of the most intriguing and challeng- 
ing results of elementary number theory, the law of quadratic reciprocity. This theorem 


relates the values of (2) and (2), where p and q are odd primes. The law of quadratic 


reciprocity has many implications, both theoretical and practical, as we will see through- 
out this chapter. From a computational standpoint, we will see that it can help us evaluate 
Legendre symbols. 


Modular Square Roots 


Suppose that n = pq, where p and q are distinct odd primes, and suppose that the 
congruence x? =a (mod n), where 0 < a < nand (a, n) = 1, has a solution x = Xo. We 
will show that there are exactly four incongruent solutions modulo n. In other words, we 
will show that a has four incongruent square roots modulo n. To see this, let x9 = x; (mod 
p), 0 < x; < p,and let x = x» (modq), 0 < x» < q. Then the congruence x” = a (mod p) 
has exactly two incongruent solutions modulo p, namely, x = x, (mod p) and x = p — x, 
(mod p). Similarly, the congruence x” = a (mod q) has exactly two incongruent solutions 


modulo q, namely, x = x2 (mod q) and x = q — x2 (mod q). 
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From the Chinese remainder theorem, there are exactly four incongruent solutions of 
the congruence x? = a (mod n); these four incongruent solutions are the unique solutions 
modulo pq of the four sets of simultaneous congruences: 


(i) x =x, (mod p) (iii) x =p —x, (mod p) 
x =X» (mod q), x = x» (mod q), 

(ii) x =x, (mod p) (iv) x =p—x, (mod p) 
x =q — xX» (mod q), x =q — X> (mod q). 


We denote solutions of (i) and (ii) by x and y, respectively. Solutions of (iii) and (iv) are 
easily seen to be n — y and n — x, respectively. 


We also note that when p = q = 3 (mod 4), the solutions of x* =a (mod p) and of 


x? =a (mod q) are x = ta?+/4 (mod p) and x = ta%+/4 (mod q), respectively. 


By Euler’s criterion, we know that a{?—)/? = (s) = 1(mod p) and a@-)/2 = (2) =1 


(mod q) (recall that we are assuming that x* =a (mod Pq) has a solution, so that a is a 
quadratic residue of both p and q). Hence, 


(qP+D/4)2 = gPtD/2 — g-Di2. . gaa (mod p) 


and 


(aGtb/4y2 = @g9t)/2 = gG-D/2 . gaa (mod q). 


Using the Chinese remainder theorem, together with the explicit solutions just 
constructed, we can easily find the four incongruent solutions of x* = a (mod n). The 
following example illustrates this procedure. 


Example 11.7. Suppose that we know a priori that the congruence 
x* = 860 (mod 11,021) 


has a solution. Because 11,021 = 103 - 107, to find the four incongruent solutions we 
solve the congruences 


x* = 860 = 36 (mod 103) 
and 
x? = 860 = 4 (mod 107). 
The solutions of these congruences are 
x = +3603+D/4 — +3676 = +6 (mod 103) 
and 
x = +4007+D/4 = +427 = +2 (mod 107), 


respectively. Using the Chinese remainder theorem, we obtain x = +212, +109 (mod 
11,021) as the solutions of the four systems of congruences described by the four possible 
choices of signs in the system of congruences x = +6 (mod 103), x = +2 (mod 107). 

< 


11.1 Quadratic Residues and Nonresidues 425 


Flipping Coins Electronically 


An interesting and useful application of the properties of quadratic residues is a method to 
“flip coins” electronically, invented by Blum [B182]. This method takes advantage of the 
difference in the length of time needed to find primes and needed to factor integers that 
are the products of two primes, also the basis of the RSA cipher discussed in Chapter 8. 


We now describe a method for electronically flipping coins. Suppose that Bob and 
Alice are communicating electronically. Alice picks two distinct large primes p and q, 
with p = q =3 (mod 4). Alice sends Bob the integer n = pq. Bob picks, at random, 
a positive integer x less than n and sends to Alice the integer a with x? = a (mod n), 
0 <a <n. Alice finds the four solutions of x2 =a (mod n), namely, x, y, nm — x, and 
n — y. Alice picks one of these four solutions and sends it to Bob. Note that because 
x + y =2x, #0 (mod p) and x + y =0(modq), we have (x + y, n) =q, and, similarly, 
(x + (n — y), n) = p. Thus, if Bob receives either y or n — y, he can rapidly factor n 
by using the Euclidean algorithm to find one of the two prime factors of n. On the other 
hand, if Bob receives either x or n — x, he has no way to factor n in a reasonable length 
of time. 


Consequently, Bob wins the coin flip if he can factor n, whereas Alice wins if Bob 
cannot factor n. From previous comments, we know that there is an equal chance for 
Bob to receive a solution of x? = a (mod n) that helps him rapidly factor n, or a solution 
of x? =a (mod n) that does not help him factor n. Hence, the coin flip is fair. 


11.1 EXERCISES 


1. Find all of the quadratic residues of each of the following integers. 


a) 3 b) 5 c) 13 d) 19 
2. Find all of the quadratic residues of each of the following integers. 
a) 7 b) 8 c) 15 d) 18 


3. Find the value of the Legendre symbols (4) for j = 1,2, 3, 4. 
4. Find the value of the Legendre symbols (4) for j = 1,2, 3, 4, 5, 6. 


5. Evaluate the Legendre symbol (3) 


a) using Euler’s criterion. 
b) using Gauss’s lemma. 


6. Let a and b be integers not divisible by the prime p. Show that either one or all three of the 
integers a, b, and ab are quadratic residues of p. 


7. Show that if p is an odd prime, then 


—2 a 1 if p=1or3 (mod 8); 
p) |-1. if p= —1or —3 (mod 8). 
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10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 
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. Show that if the prime-power factorization of n is 


2tj4+1 _2t)4+1 Qty t+] _ tea 2 
1 Po eee Pp Pp eee m 


n=p k k+1 Pm 


and q is a prime not dividing n, then 


(3)=(2)(2)--@) 


. Show that if p is prime and p = 3 (mod 4), then [(p — 1)/2]!= (—1)! (mod p), where t is 


the number of positive integers less than p/2 that are nonquadratic residues of p. 


Show that if b is a positive integer not divisible by the prime p, then 
b 2b 3b —1)b 
a a 
P P 14 Pp 


Let p be prime and a be a quadratic residue of p. Show that if p = 1 (mod 4), then —a is also 
a quadratic residue of p, whereas if p = 3 (mod 4), then —a is a quadratic nonresidue of p. 


Consider the quadratic congruence ax” + bx + c = 0 (mod p), where p is prime and a, b, 
and c are integers with p J a. 
a) Let p = 2. Determine which quadratic congruences (mod 2) have solutions. 


b) Let p be an odd prime and let d = b* — 4ac. Show that the congruence ax? + bx +c =0 
(mod p) is equivalent to the congruence y* = d (mod p), where y = 2ax + b. Conclude 
that if d = 0 (mod p), then there is exactly one solution x modulo p; if d is a quadratic 
residue of p, then there are two incongruent solutions; and if d is a quadratic nonresidue 
of p, then there are no solutions. 


Find all solutions of the following quadratic congruences. 

a) x7+x +1=0 (mod 7) 

b) x? + 5x + 1=0 (mod 7) 

c) x2 + 3x + 1=0 (mod 7) 

Show that if p is prime and p > 7, then there are always two consecutive quadratic residues 
of p. (Hint: First show that at least one of 2, 5, and 10 is a quadratic residue of p.) 

Show that if p is prime and p > 7, then there are always two quadratic residues of p that 
differ by 2. 

Show that if p is prime and p > 7, then there are always two quadratic residues of p that 
differ by 3. 

Show that if a is a quadratic residue of the prime p, then the solutions of x? = a (mod p) are 
a) x =+a"+t! (mod p), if p = 4n + 3. 

b) x = +a"! or £22"+19"+! (mod p), if p = 8n + 5. 

Show that if p is a prime and p = 8” + 1, andr is a primitive root modulo p, then the solutions 
of x? = +2 (mod p) are given by 


x =+(r™ +r") (mod p), 


where the + sign in the first congruence corresponds to the + sign inside the parentheses in 
the second congruence. 


19. 
20. 
21. 
22. 


23. 


24. 


25. 


26. 


27. 


28. 


29. 
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Find all solutions of the congruence x? = 1(mod 15). 
Find all solutions of the congruence x* = 58 (mod 77). 
Find all solutions of the congruence x? = 207 (mod 1001). 


Let p be an odd prime, e a positive integer, and a an integer relatively prime to p. Show that 
the congruence x? = a (mod p°) has either no solutions or exactly two incongruent solutions. 


Let p be an odd prime, e a positive integer, and a an integer relatively prime to p. Show that 
there is a solution to the congruence x” = a (mod p°t!) if and only if there is a solution to 
the congruence x” = a (mod p°). Use Exercise 22 to conclude that the congruence x” =a 
(mod p*) has no solutions if a is a quadratic nonresidue of p, and exactly two incongruent 
solutions modulo p if a is a quadratic residue of p. 


Letn be an odd integer. Find the number of incongruent solutions modulo n of the congruence 
2 = ‘i : 5 _ ty ty t B 

x* =a (mod n), where n has prime-power factorization n = p, p; --- pi, in terms of the 

Legendre symbols (+) dade os (+). (Hint: Use Exercise 23.) 


Find the number of incongruent solutions of each of the following congruences. 
a) x2 = 31 (mod 75) c) x” = 46 (mod 231) 
b) x7 = 16 (mod 105) = d) x” = 1156 (mod 37537°11°) 


Show that the congruence x7=a (mod 2°), where e is an integer, e > 3, has either no solutions 
or exactly four incongruent solutions. (Hint: Use the fact that (+x)? = (2°-! + x)? (mod 2°).) 


Show that there are infinitely many primes of the form 4k + 1. (Hint: Assume that p;, po,..., 
P,, are the only such primes. Form N = 4(p,p>--+ p,,)? + 1, and show, using Theorem 11.5, 
that N has a prime factor of the form 4k + 1 that is not one of pj, po, .-., Dn-) 


Show that there are infinitely many primes of each of the following forms. 
a) 8k +3 b) 8K +5 c) 8k +7 


(Hint: For each part, assume that there are only finitely many primes pj, pz, ..., Pp, of the 
particular form. For part (a), look at (p,p2--- Pn) + 2; for part (b), look at (p,p2--- Pn? + 
4; and for part (c), look at (4p, p> +++ p,)” — 2. In each part, show that there is a prime factor 
of this integer of the required form not among the primes pj, P2,..., P,- Use Theorems 11.5 
and 11.6.) 


Let p and g be odd primes with p = g = 3 (mod 4) and let a be a quadratic residue of n = pq. 
Show that exactly one of the four incongruent square roots of a modulo pq is a quadratic 
residue of n. 


. Prove Theorem 11.3 using the concept of primitive roots and indices. 
. Prove Theorem 11.4 using the concept of primitive roots and indices. 


. Let p be an odd prime. Show that there are (p — 1)/2 — ¢(p — 1) quadratic nonresidues of 


p that are not primitive roots of p. 


. Let p and g = 2p + 1 both be odd primes. Show that the p — 1 primitive roots of q are the 


quadratic nonresidues of qg, other than the nonresidue 2p of q. 


. Show that if p and gq = 4p + 1 are both primes and if a is a quadratic nonresidue of q with 


ord,a # 4, then a is a primitive root of q. 


. Show that a prime p is a Fermat prime if and only if every quadratic nonresidue of p is also 


a primitive root of p. 
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39. 


40. 


43. 
* 44, 
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. Show thata prime divisor p of the Fermat number F,, = 22" + 1 mustbe of the form 2”+7k + 1. 


(Hint: Show that ord,2 = 2"*1. Then show that 2°?-/2 = 1 (mod p) using Theorem 11.6. 
Conclude that 2+! | (p — 1)/2.) 


. a) Show that if p is a prime of the form 4k + 3 and g = 2p + 1is prime, then q divides the 


Mersenne number M, = 2? — 1. (Hint: Consider the Legendre symbol (2) .) 
b) From part (a), show that 23 | Mj, 47 | M23, and 503 | M95). 


. Show that if n is a positive integer and 2n + 1 is prime, and if n = 0 or 3 (mod 4), then 2” + 1 


divides the Mersenne number M,, = 2” — 1, whereas ifn = 1 or 2 (mod 4), then 2n + 1 divides 


M,, + 2 = 2" + 1. (Hint: Consider the Legendre symbol (525) and use Theorem 11.5.) 


Show that if p is an odd prime, then every prime divisor q of the Mersenne number M,, must 
be of the form gq = 8k + 1, where k is a positive integer. (Hint: Use Exercise 38.) 


Show how Exercise 39, together with Theorem 7.12, can be used to help show that M7 is 
prime. 


. Show that if p is an odd prime, then 


(Hint: First show that (40) = (#) , where j is an inverse j of modulo p.) 


. Let p be an odd prime. Among pairs of consecutive positive integers less than p, let (RR), 


(RN), (NR), and (NN) denote the number of pairs of two quadratic residues, of a quadratic 
residue followed by a quadratic nonresidue, of a quadratic nonresidue followed by a quadratic 
residue, and of two quadratic nonresidues, respectively. 


a) Show that 


(RR) + (RN) = 5(p -2- (PM? 


(NR) + (NN) = 5(P ~ 24 (-Ne-By 
(RR) + (NR) = +(P —l)-1 
(RN) + (NN) = +(P i) 


b) Using Exercise 41, show that 


Ee Ge) 
> (>) = (RR) + (NN) — (RN) — (NR) = —1. 


j=l 


c) From parts (a) and (b), find (RR), (RN), (NR), and (NN). 
Use Theorem 9.16 to prove Theorem 11.1. 
Let p and q be odd primes. Show that 2 is a primitive root of qg, if g =4p + 1. 


45. 


46. 


47. 
48. 
49. 


50. 


51. 


52. 
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Let p and q be odd primes. Show that 2 is a primitive root of g, if p is of the form 4k + 1 
andg =2p+1. 


Let p and q be odd primes. Show that —2 is a primitive root of g, if p is of the form 4k — 1 
andg =2p+1. 


Let p and q be odd primes. Show that —4 is a primitive root of g, if g = 2p + 1. 
Find the solutions of x? = 482 (mod 2773) (note that 2773 = 47 - 59). 


In this exercise, we develop a method for decrypting messages encrypted using a Rabin cipher. 
Recall that the relationship between a ciphertext block C and the corresponding plaintext 
block P in a Rabin cipher is C = P(P + 2b) (mod n), where n = pq, p and q are distinct 
odd primes, and b is a positive integer less than n. 


a) Show that C + a = (P + 2b)? (mod n), where a = (2b) (mod n), and 2 is an inverse of 
2 modulo n. 

b) Using the algorithm in the text for solving congruences of the type x” =a (mod n), 
together with part (a), show how to find a plaintext block P from the corresponding ci- 
phertext block C. Explain why there are four possible plaintext messages. (This ambiguity 
is a disadvantage of Rabin ciphers.) 

c) Decrypt the ciphertext message 1819 0459 0803 that was encrypted using the Rabin 
cryptosystem with b = 3 and n = 47 - S59 = 2773. 


Let p be an odd prime, and let C be the ciphertext obtained in modular exponentiation, with 
exponent e and modulus p, from the plaintext P, that is, C= P° (mod p), 0 < C <n, where 
(e,p — 1) = 1. Show that C is a quadratic residue of p if and only if P is a quadratic residue 
of p. 


a) Show that the second player in a game of electronic poker (see Section 8.6) can obtain an 
advantage by noting which cards have numerical equivalents that are quadratic residues 
modulo p. (Hint: Use Exercise 50.) 

b) Show that the advantage of the second player noted in part (a) can be eliminated if the 
numerical equivalents of cards that are quadratic nonresidues are all multiplied by a fixed 
quadratic nonresidue. 


Show that if the probing sequence for resolving collisions in a hashing scheme is h ;(K) = 
h(K) + aj + bj” (mod m), where h(K) is a hashing function, m is a positive integer, and a 
and b are integers with (b, m) = 1, then only half the possible file locations are probed. This 
is called the quadratic search. 


We say that x and y form a chain of quadratic residues modulo p if x, y, and x + y are all 
quadratic residues modulo p. 


53. 
54. 


Find a chain x, y, x + y of quadratic residues modulo 11. 


Is there a chain of quadratic residues modulo 7? 


Computations and Explorations 


1. 


Find the value of each of the following Legendre symbols: (353s): (=a). and 


6,818,811 
15,454, 350,666,611 }* 
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9. 
10. 
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. Show that the prime p = 30,059,924,764,123 has (4) = —1 for all primes g with 2 <q < 


181. 


. A set of integers x), x2,..., X,, where n is a positive integer, is called chain of quadratic 


residues if all sums of consecutive subsets of these numbers are quadratic residues. Show 
that the integers 1, 4, 45, 94, 261, 310, 344, 387, 393, 394, and 456 form a chain of quadratic 
residues modulo 631. (Note: There are 66 values to check.) 


. Find the smallest quadratic nonresidue of each prime less than 1000. 


. Find the smallest quadratic nonresidue of 100 randomly selected primes between 100,000 


and 1,000,000, and 100 randomly selected primes between 100,000,000 and 1,000,000,000. 
Can you make any conjectures based on your evidence? 


. Use numerical evidence to determine for which odd primes p there are more quadratic 


residues a of p with 1 < a < (p — 1)/2 than there are with (p + 1)/2<a<p-—1. 


- Let p be a prime with p = 3 (mod 4). It has been proved that if R is the largest number of 


consecutive quadratic residues of p and N is the largest number of consecutive quadratic 
nonresidues of p, then R= N < ,/p. Verify this result for all primes of this type less than 
1000. 


. Let p be a prime with p = 1 (mod 4). It has been conjectured that if N is the largest number 


of consecutive quadratic nonresidues of p, then N < ./p when p is sufficiently large. Find 
evidence for this conjecture. For which small primes does this inequality fail? 


Find the four modular square roots of 4,609,126 modulo 14,438,821 = 4003 - 3607. 
Find the square roots of 11,535 modulo 142,661. Which one is a quadratic residue of 142,661? 


Programming Projects 


1. 
2. 
3. 


11.2 


Evaluate Legendre symbols using Euler’s criterion. 
Evaluate Legendre symbols using Gauss’s lemma. 


Given a positive integer n that is the product of two distinct primes both congruent to 3 modulo 
4, find the four square roots of the least positive residue of x”, where x is an integer relatively 
prime to n. 


. Flip coins electronically using the procedure described in this section. 


. Decrypt messages that were encrypted using a Rabin cryptosystem (see Exercise 49). 


The Law of Quadratic Reciprocity 


Suppose that p and q are distinct odd primes. Suppose further that we know whether 
q is a quadratic residue of p. Do we also know whether p is a quadratic residue of q? 
The answer to this question was found by Euler in the mid-1700s. He found the answer 
by examining numerical evidence, but he did not prove that his answer was correct. 
Later, in 1785, Legendre reformulated Euler’s answer, in its modem, elegant form, in 
a theorem known as the law of quadratic reciprocity. This theorem tells us whether the 
congruence x” = q (mod p) has solutions, once we know whether there are solutions of 
x? = p (mod q). 
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Theorem 11.7. The Law of Quadratic Reciprocity. Let p and q be distinct odd 


primes. Then 
()(t)-co 
q/\P 


Legendre published several proposed proofs of this theorem, but each of his proofs 
contained a serious gap. The first correct proof was provided by Gauss, who claimed 
to have rediscovered this result when he was 18 years old. Gauss devoted considerable 
attention to his search for a proof. In fact, he wrote that “for an entire year this theorem 
tormented me and absorbed my greatest efforts until at last I obtained a proof.” 


Once Gauss found his first proof in 1796, he continued searching for additional 
proofs. He found at least six different proofs of the law of quadratic reciprocity. His goal 
in looking for more proofs was to find an approach that could be generalized to higher 
powers. In particular, he was interested in cubic and biquadratic residues of primes; that 
is, he was interested in determining when, given a prime p and an integer a not divisible 
by p, the congruences x? =a (mod p) and x* = a (mod p) are solvable. With his sixth 
proof, Gauss finally succeeded in his goal, as this proof could be generalized to higher 
powers. (See [IrRo95], [Go98], and [Le00] for more information about Gauss’s proofs 
and the generalization to higher power residues.) 


Finding new and different approaches did not stop with Gauss. Some of the well- 
known mathematicians who have published original proofs of the law of quadratic 
reciprocity are Cauchy, Dedekind, Dirichlet, Kronecker, and Eisenstein. One count in 
1921 stated that there were 56 different proofs of the law of quadratic reciprocity, and in 
1963 an article published by M. Gerstenhaber [Ge63] offered the 152nd proof of the law 
of quadratic reciprocity. In 2000, Franz Lemmermeyer [Le00] compiled a comprehensive 
list of 192 proofs of quadratic reciprocity, noting for each proof the year, the prover, and 
the method of proof. Lemmermeyer maintains a current version of this on the Web; as 
of early 2010, 233 different proofs were listed. Not only does he add new proofs to this 
list, but he also adds overlooked older proofs. According to his count, Gerstenhaber’s 
proof is number 159, and 34 of the proofs were completed in the last ten years. It will 
be interesting to see if new proofs continue to be found at the rate of one per year. 
(See Exercise 17 for an outline of the 221st proof.) Although many of the different 
proofs of the law of quadratic reciprocity are similar, they encompass an amazing variety 
of approaches. The ideas in different approaches can have useful consequences. For 
example, the ideas behind Gauss’s first proof, which is a complicated argument using 
mathematical induction, were of little interest to mathematicians for more than 175 years, 
until they were used in the 1970s in computations in an advanced area of algebra known 
as K-theory. 


The version of the law of quadratic reciprocity that we have stated and proved is 
different from the version originally conjectured by Euler. This version, which we now 
state, tums out to be equivalent to the version we have stated as Theorem 11.7. Euler 
formulated this version based on the evidence of many computations of special cases. 


432 


Quadratic Residues 


Theorem 11.8. Suppose that p is an odd prime and a is an integer not divisible by p. 
a 


If g is a prime with p = +q (mod 4a), then (2) = (2). 
This version of the law of quadratic reciprocity shows that the value of the Legendre 
symbol (2) depends only on the residue class of p modulo 4a, and that the value of (2) 
takes the same value for all primes p with remainder r or 4a — r when divided by 4a. 
We leave it to the reader as Exercises 10 and 11 to show that this form of the law of 
quadratic reciprocity is equivalent to the form given in Theorem 11.7. We also ask the 


reader to prove, in Exercise 12, this form of quadratic reciprocity directly, using Gauss’s 
lemma. 


Before we prove the law of quadratic reciprocity, we will discuss its consequences 
and how it is used to evaluate Legendre symbols. We first note that the quantity (p — 1)/2 


is even when p = | (mod 4) and odd when p = 3 (mod 4). Consequently, we see that 


pt . 4-1 isevenif p = 1(mod 4) org = 1(mod 4), whereas zt . 4" is odd if p =q=3 


(mod 4). Hence, we have 


P\(Q\ _ 1 if p=1 (mod 4) org = 1 (mod 4) (or both); 
q p) \-1 ifp=q=3 (mod 4). 


Because the only possible values of (2) and (2) are +1, we see that 


(2) _ (4) if p = 1 (mod 4) or g = 1 (mod 4) (or both); 
= (4) if p = q =3 (mod 4). 


This means that if p and g are odd primes, then (2) = (2), unless both p and gq are 


congruent to 3 modulo 4, and in that case, (2) =— (2). 


Example 11.8. Let p = 13 and g = 17. Because p = q = 1 (mod 4), the law of qua- 


dratic reciprocity tells us that (3) (4). By part (i) of Theorem 11.4, we know that 


(#3) = (4); and from part (iii) of Theorem 11.4, it follows that (4) = (3) = 1, 


Combining these equalities, we conclude that (3) =f < 


Example 11.9. Let p =7 and q = 19. Because p = gq =3 (mod 4), by the law of 
quadratic reciprocity, we know that (4) = -(#). From part (i) of Theorem 11.4, 


we see that (2) = (3). Again, using the law of quadratic reciprocity, because 5 = 1 
(mod 4) and 7 = 3 (mod 4), we have (3 = (2). By part (i) of Theorem 11.4 and 
Theorem 11.6, we know that (3) = (2) = —1. Hence, (4) =]; < 
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We can use the law of quadratic reciprocity and Theorems 11.4 and 11.6 to evaluate 
Legendre symbols. Unfortunately, prime factorizations must be computed to evaluate 
Legendre symbols in this way. 


Example 11.10. We will calculate (aS ue As) (note that 1009 is prime). We factor 713 = 
23-3], so that by part (ii) of Theorem 11.4, we have 


(s005) = Coos )= es) (os) 


To evaluate the two Legendre symbols on the right side of this equality, we use the law 
of quadratic reciprocity. Because 1009 = 1 (mod 4), we see that 


( 23 )=() (= 31 =)= (°) 
1009) \ 23 /’ \1009 31 } 
Using Theorem 11.4, part (i), we have 
eae) eee, 
23) \23/’ \ 317) \aiy 
By parts (ii) and (iii) of Theorem 11.4, it follows that 
(ala elas a 
23) \ 23 J \a3/\23/ \a3)" 
The law of quadratic reciprocity, part (i) of Theorem 11.4, and Theorem 11.6 tell us that 
(aye) Ge) a) 
23) \5/) \s) \3J) \3J 7” 
Thus, (;25) =—1. 


Likewise, using the law of quadratic reciprocity, Theorem 11.4, and Theorem 11.6, 
we find that 


(31) = (in) = (in) = Ga) (a) = Ga) = G) =) 
--()--()--G)- 
Consequently, (iis) = —1. 


Therefore, (23) = Epenet < 


A Proof of the Law of Quadratic Reciprocity 


We now present a proof of the law of quadratic reciprocity originally given by Max Eisen- 
stein. This proof is a simplification of the third proof given by Gauss. This simplification 
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was made possible by the following lemma of Eisenstein, which will help us reduce the 


proof of the law of quadratic reciprocity to counting lattice points in triangles. 


Lemma 11.3. If p is an odd prime and a is an odd integer not divisible by p, then 


(*) = (-)7@o), 
Pp 


(p—1)/2 


Ta, pP)= > La/pl. 
j=1 


where 


Proof. Consider the least positive residues of the integers a, 2a, ..., ((p — 1)/2)a; let 
Uj, Uy, ..., 4, be those greater than p/2 and let v,, v2, ..., v, be those less than p/2. 


The division algorithm tells us that 
ja = p|[ja/p|+ remainder, 


where the remainder is one of the u; or v;. By adding the (p — 1)/2 equations of this 


sort, we obtain 
(p—1)/2 (p—1)/2 


s t 
(11.4) oy ja= ys Plja/p|+ s uj + De Vj. 
j=1 j=1 


j=l j=1 
As we showed in the proof of Gauss’s lemma, the integers p — uj,..., PD — Uy, 
V},..., VU, are precisely the integers 1,2, ... , (p — 1)/2, in some order. Hence, summing 


FERDINAND GOTTHOLD MAX EISENSTEIN (1823-1852) suffered 
from poor health his entire life. He moved with his family to England, Ire- 
land, and Wales before ceturning to Germany. In Ireland, Eisenstein met Sir 
William Rowan Hamilton, who stimulated his interest in mathematics by giv- 
ing him a paper that discussed the impossibility of solving quintic equations in 
radicals. On his return to Germany in 1843, at the age of 20, Eisenstein entered 
» the University of Berlin. 


Eisenstein amazed the mathematical community when he quickly began producing new results 
soon after entering the university. In 1844, Eisenstein met Gauss in Gotungen, where they discussed 
reciprocity for cubic residues. Gauss was extremely impressed by Eisenstein, and tried to obtain 
financial support for him. Gauss wrote to the explorer and scientist Alexander von Humboldt that 
the talent Eisenstein had was “that nature bestows upon only a few in each century.” Eisenstein was 
amazingly prolific. In 1844, he published 16 papers in Volume 27 of Crelle’s Journal alone. In the third 
semester of his studies, he received an honorary doctorate from the University of Breslau. Eistenstein 
was appointed to an unsalaried position as a Privatdozent at the University of Berlin; however, after 
1847, Eisenstein’s health worsened so much that he was mostly confined to bed. Nevertheless, his 
mathematical output continued unabated. After spending a year in Sicily in a futile atsempt to improve 
his health, he retamed to Germany, where he died from tuberculosis at the age of 29. His early death 
was considered a tremendous loss by mathematicians. 
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all these integers, we obtain 


(p—1)/2 5 


(11.5) Y= Le-w+ hw =os-You “Dy 


j=l 
Subtracting (1 s from (11.4), we find that 


(p—1)/2 (p—)/2 — (p—1)/2 


Yo ja- Yo i= DY Plia/pl- Gao a 


j=l j=l j=l j=l 
: _ (p-1)/2,; 
or, equivalently, because T (a, p) = >> j=l Lja/p], 
(p—1)/2 
(a-1) )) j=pT@, p)- Peo ar uj. 
j=l j=l 


Reducing this last equation modulo 2, because a and p are odd, yields 
0 = T(a, p) — s (mod 2). 
Hence, 
T (a, p) =s (mod 2). 


To finish the proof, we note that from Gauss’s lemma, 


() xe 
Pp 


Consequently, because (—1)* = (— 1)7@P), it follows that 


() == (-1)7 @P). = 
Pp 


Although Lemma 11.3 is used primarily as a tool in the proof of the law of quadratic 
reciprocity, it can also be used to evaluate Legendre symbols. 
Example 11.11. To find (4) using Lemma 11.3, we evaluate the sum 


5 
Y (74/11) = [7/11] + [14/11] + [21/11] + [28/11] + [35/11] 
j=l 
=04+14+14+24+3=7. 


Hence, (A)=C 1)’ =-1. 


Likewise, to find (+), we note that 


3 
Y [14/7] = [11/7] + [22/7] + [33/7] = 14+3+4+4=8, 
j=l 
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so that (+) =(-1)8=1, < 


Before we present a proof of the law of quadratic reciprocity, we use an example to 
illustrate the method of proof. 


Let p = 7 and g = 11. We consider pairs of integers (x, y) with1 <x < (7—1)/2= 
3 and 1 < y < (11 — 1)/2 =5S. There are 15 such pairs. We note that none of these pairs 
satisfies 11x = 7y, because the equality 11x = 7y implies that 11 | 7y, so that either 11 | 7, 
which is absurd, or 11 | y, which is impossible because 1 < y <5. 


We divide these 15 pairs into two groups, depending on the relative sizes of 11x and 
7y, as shown in Figure 11.1. 


> y=11x/7 


1 2 3 


Figure 11.1 Counting lattice points to determine (7) (7). 


The pairs of integers (x, y) with 1< x <3, 1< y <5, and 11x > 7y are precisely 
those pairs satisfying 1 < x < 3and 1 < y < 11x/7. For a fixed integer x with 1 < x < 3, 
there are [11x/7] allowable values of y. Hence, the total number of pairs satisfying 
1<x <3,1<y<5,and 11x > 7y is 

3 
Y(U11j/71 = [11/7] + [22/7] + [33/7] = 14+3+4=8; 
j=l 
these eight pairs are (1, 1), (2, 1), (2, 2), (2, 3), (3, D, (3, 2), (3, 3), and (3, 4). 


The pairs of integers (x, y) with 1 < x <3, 1< y <5, and 11x < 7y are precisely 
those pairs satisfying 1 < y < Sand 1 < x < 7y/11. Fora fixed integer y with 1 < y < 5, 
there are [7y/11] allowable values of x. Hence, the total number of pairs satisfying 
1<x <3,1<y <5,and 11x <7y is 

5 
S(7 4/11] = (7/11) + [14/11] + [21/11] + [28/11] + [35/11] 
j=l 
=04+14+142+3=7. 
These seven pairs are (1, 2), (1, 3), (1, 4), (1, 5), (2, 4), (2, 5), and (3, 5). 
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Consequently, we see that 


=a 74 2 2 
a 5-35 15=) [1/4 D17j/11 =8 +7. 
; ; 2 vy Dak j/(1) 


Hence, 
417 3 , aoae 
(1) 4-H = (—1)2 jetttl/T1+) jet 5/11] 


= (pie yj 


3 : ws : 
Because Lemma 11.3 tells us that (+) =(- pydejetl and (4) = (12a 


7111-1 


we see that (A)(4) =(-l)T’ 2, 


This establishes the special case of the law of quadratic reciprocity when p = 7 and 
q=11. 

We now prove the law of quadratic reciprocity, using the idea illustrated in the 
example. 


Proof. We consider pairs of integers (x, y) with 1 <x < (p—1)/2and1<y<(q—- 
1) /2. There are pe . qt such pairs. We divide these pairs into two groups, depending 
on the relative sizes of gx and py, as shown in Figure 11.2 


(0, q- 1)/2) 


((p - 1/2, (q - 19/2) 


(q-1)/2 


b2 [pi/q] lattice points 
jl 


(p-1y/2 


>, [gj/p] lattice points 
jel 


(0, 0) ((@ — 1)/2, 0) 


Figure 11.2 Counting lattice points to determine (2) (2). 


First, we note that gx # py for all these pairs. For if gx = py, then q | py, which 
implies that g | p or q | y. However, because q and p are distinct primes, we know that 
q X p, and because 1 < y < (g — 1)/2, we know that gq / y. 


To enumerate the pairs of integers (x, y) with 1 < x < (p — 1)/2,1< y< (q —1)/2, 
and qx > py, we note that these pairs are precisely those where 1 < x < (p — 1)/2 
and 1 < y < qx/p. For each fixed value of the integer x, with 1 <x < (p — 1)/2, 
there are [qx/p] integers satisfying 1 < y < qx/p. Consequently, the total number of 
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pairs of integers (x, y) with 1<x < (p— 1)/2, 1< y < (q —1)/2, and qx > py is 
yj, 
ee tgi/ Pl. 


We now consider the pairs of integers (x, y) with 1<x<(p-—1)/2, l<y< 
(q — 1)/2, and qx < py. These pairs are precisely the pairs of integers (x, y) with 
1< y <(q-—1)/2 and 1 <x < py/q. Hence, for each fixed value of the integer y, 
where 1 < y < (q — 1)/2, there are exactly [py/q] integers x satisfying 1 < x < py/q. 
This shows that the total number of pairs of integers (x, y) with 1 < x < (p — 1)/2, 


1<y<(q—1)/2, andqx < py is ae *Lpi/al. 


Adding the numbers of pairs in these classes, and recalling that the total number of 
such pairs is Be . tI we see that 


(p—1)/2 (q—1)/2 
\ (ai/pPl+ S~ (pi/gl= 2 — — 2, 
j=l j=l 
or, using the notation of Lemma 11.3, 
p-1 —1 
T(q, P)+T(p, = ae. i. 
Hence, 
p-1 q-l 


(— 17 @ sP)+T (p,q) — = (— 17 @ PD pT, q) =(-1**t. 


Lemma 11.3 tells us that (—1)7@-)) = =(2 £) and (—1)7?-9 = =(2). Hence 


(2) (2) = (-) Fs, 
q Pp 


This concludes the proof of the law of quadratic reciprocity. rT 


The law of quadratic reciprocity has many applications. One use is to prove the validity 
of the following primality test for Fermat numbers. 


Theorem 11.9. Pepin’s Test. The Fermatnumber F,, = 22” + 1is prime if and only if 
3(Fm—D/2 — _1 (mod F,,). 


Proof. We will first show that F,,, is prime if the congruence in the statement of the 
theorem holds. Assume that 


3(Fm—1)/2 — —1 (mod F,,). 
Then, by squaring both sides, we obtain 
3*m—! = 1 (mod F,,). 
Using this congruence, we see that if p is a prime dividing F,,,, then 


3*m—! = 1 (mod p), 
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and hence, 
ord,3| (Fm — 1) = 2". 
Consequently, ord,,3 must be a power of 2. However, 
ord,3 {27"—! = (Fn, — 1/2, 


because 3(¥m—1)/2 = —1 (mod F,,). Hence, the only possibility is that ord,3 = 27" = 
F,, — 1. Because ord,3 = F,, — 1< p — land p| F,,, we see that p = F,, and, conse- 
quently, F,,, must be prime. 


Conversely, if F,, = 27” + lis prime for m > 1, then the law of quadratic reciprocity 
tells us that 


FF 3 3 
because F,,, = 1 (mod 4) and F,, = 2 (mod 3). 


Now, using Euler’s criterion, we know that 


(11.7) (+) = 3(Fm—D/2 (mod F,,)- 


m 


By the two equations involving (+), (11.6) and (11.7), we conclude that 


3Fm-)/2 = _1 (mod F,,). 


This finishes the proof. 7 


Example 11.12. Let m =2. Then F) = 22 + 1=17 and 
3(F2-D/2 — 38 = _1 (mod 17). 
By Pepin’s test, we see that F, = 17 is prime. 
Let m =5. Then F; = 2? + 1= 232 + 1= 4,294,967,297. We note that 
30Fs—D/2 _ 327! _ 42,146,483,648 — 19 394 303 # —1 (mod 4,294,967,297). 


Hence, by Pepin’s test, we see that F5 is composite. < 


EXERCISES 


. Evaluate each of the following Legendre symbols. 


o(@) (8) (8) 


D(s) (ar) (rts) 
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. Using the law of quadratic reciprocity, show that if p is an odd prime, then 


(=)=| 1 if p = +1 (mod 12); 


D —1 if p = +5 (mod 12). 


. Show that if p is an odd prime, then 


=. 1 if p = 1 (mod 6); 
Dp ~ | -1 if p = —1 (mod 6). 


. Find a congruence describing all primes for which 5 is a quadratic residue. 
. Find a congruence describing all primes for which 7 is a quadratic residue. 


. Show that there are infinitely many primes of the form 5k + 4. (Hint: Let n be a positive 


integer and form Q = 5(n!)* — 1. Show that Q has a prime divisor of the form 5k + 4 greater 
than n. To do this, use the law of quadratic reciprocity to show that if a prime p divides Q, 
then (2) = 1.) 


. Use Pepin’s test to show that the following Fermat numbers are primes. 


a) F,=5 b) F3=257 c) Fy = 65,537 


. Use Pepin’s test to conclude that 3 is a primitive root of every Fermat prime. 


. In this exercise, we give another proof of the law of quadratic reciprocity. Let p and q 


be distinct odd primes. Let R be the interior of the rectangle with vertices Q = (0, 0), 
A= (p/2, 0), B= (q/2, 0), and C = (p/2, q/2), as shown. 


B (q/2, 0) C (p/2, g/2) 


O (0, 0) A (p/2, 0) 


a) Show that the number of lattice points (points with integer coordinates) in R is bo} . a 

b) Show that there are no lattice points on the diagonal connecting O and C. 

c) Show that the number of lattice points in the triangle with vertices O, A, and C is 
Ee ia/el 

d) Show that the number of lattice points in the triangle with vertices O, B, and C is 
> *Lip/ql. 

e) Conclude from parts (a), (b), (c), and (d) that 


(p-1)/2 @-/2 ieee 
>> Lia/pl+ > i 
j=l j=l ‘ 


Derive the law of quadratic reciprocity using this equation and Lemma 11.3. 
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Exercises 10 and 11 ask that you show that Euler’s form of the law of quadratic reciprocity 
(Theorem 11.8) and the form given in Theorem 11.7 are equivalent. 


10. 


11. 


12. 


Show that Euler’s form of the law of quadratic reciprocity, Theorem 11.8, implies the law of 
quadratic reciprocity as stated in Theorem 11.7. (Hint: Consider separately the cases when 
P =q (mod 4) and p #q (mod 4).) 


Show that the law of quadratic reciprocity as stated in Theorem 11.7 implies Euler’s form of 
the law of quadratic reciprocity, Theorem 11.8. (Hint: First consider the cases when a = 2 
and when a is an odd prime. Then consider the case when a is composite.) 

Prove Euler’s form of the law of quadratic reciprocity, Theorem 11.8, using Gauss’s lemma. 
(Hint: Show that to find (¢), we need only find the parity of the number of integers k 
satisfying one of the inequalities (2t — 1)(p/2a) <k <t(p/a) fort =1,2,..., 2u —1, 
where u = a/2 if a is even and u = (a — 1)/2 if a is odd. Then, take p = 4am +r with 
0 <r < 4a, and show that finding the parity of the number of integers k satisfying one of the 
inequalities listed is the same as finding the parity of the number of integers satisfying one 
of the inequalities (2 — 1)r/2a <k <tr/a fort =1,2,...,2u— 1. Show that this number 
depends only on r. Then, repeat the last step of the argument with r replaced by 4a — r). 


Exercise 13 asks that you fillin the details of a proof of the law of quadratic reciprocity originally 
developed by Eisenstein. This proof requires familiarity with the complex numbers. 


13. 


A complex number ¢ is an nth root of unity, where n is a positive integer, if ¢” = 1. If n is the 

least positive integer for which ¢” = 1, then ¢ is called a primitive nth root of unity. Recall 

that e27! = 1. 

a) Show that e7!/")k is an nth root of unity if k is an integer with 0 < k <n — 1, which is 
primitive if and only if (k,n) = 1. 

b) Show that if ¢ is an nth root of unity and m = £ (mod n), then ¢” = ae Furthermore, 
show that if ¢ is a primitive nth root of unity and ¢” = ¢*, then m = £ (mod n). 

c) Define f(z) = e27!% — e~?7!2 = 2 sin(2xz). Show that f(z + 1) = f(z) and f(—z) = 
— f(z), and that the only real zeros of f(z) are the numbers 7/2, where n is an integer. 


d) Show that if n is a positive integer, then x” — y” = a (6 ky — ¢—*y), where ¢ = e27!/", 
e) Show that if n is an odd positive integer and f(z) is as defined in part (c), then 
(n—1)/2 


Flas) _ a eee 
Ta ee) a): 


f) Show that if p is an odd prime and a is an integer not divisible by p, then 


TI #(£) = (2) TI #(2) | 


é=1 P PY p21 \P 
g) Prove the law of quadratic reciprocity using parts (e) and (f), starting with 
(p—1)/2 (p—1)/2 
£ £ 
DAG) a) AG): 
e=1 P PY jg, \P 


(Hint: Use part (e) to obtain a formula for f (4) /f (4) .) 
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14. 


15. 


16. 


17. 
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Suppose that p is an odd prime with (2) = —1, where n = k2™ + 1 with k < 2” for some 
integers k and m. Show that n is prime if and only if p“—/2 = —1 (mod n). (Hint: Use 
Proth’s theorem from Section 9.5 for the “only if” part, and Euler’s criterion and the law of 
quadratic reciprocity for the “if” part.) 

The integer p = 1+ 8-3-5-7-11-13-17- 19-23 = 892,371,481 is prime (as the reader 

can verify using computational software). Show that for all primes g with q < 23, (4) = 1, 

Conclude that there is no quadratic nonresidue of p less than 29 and that p has no primitive 

root less than 29. (This fact is a particular case of the result established in the following 

exercise. ) 

In this exercise, we will show that given any integer M, there exist infinitely many primes p 

such that M <r, < p — M, where r, is the least primitive root modulo p. 

a) Let gq, = 2, q2 = 3, q3 =5, ..., gy be all the primes not exceeding M. Using Dirichlet’s 
theorem on primes in arithmetic progressions, there is a prime p = 1+ 8q)q2--- qpr; 
where r is a positive integer. Show that ($) — ae (2) = 1, and that (#) = 1 for 
i=2,3,...,n 

b) Deduce that all integers t + kp with -M <t+kp < M, where t is an arbitrarily chosen 


integer, are quadratic residues modulo p and hence not primitive roots modulo p. Show 
that this implies the result of interest. 


New proofs of the law of quadratic reciprocity are found surprisingly often. In this exercise, 
we fill in the steps of a proof discovered by Kim [Ki04], the 221st proof of quadratic 
reciprocity according to Lemmermeyer as of early 2010. To set up oe Prot, let p and q 


be distinct odd primes and R be the set of i ee a such that 1<a < 2%" and (a, pq) = 1, 
let S be the set of i eee awith1<a < 24 i 1 and (a, p) = 1, and let T be the set of integers 
q-1,q-2,...,q- 25. Finally, let A = Ha. 

acR 


a) Show that T is a subset of S and that R= S — T. 
b) Use part (a) and Euler’s criterion to show that A = (— y+ (4) (mod p). 


c) Show that A = (—1) om (2) (mod q) by switching the roles of p and q in parts (a) and 
(b). 
q-1 pri - : 
d) Use parts (b) and (c) to show that (—1)°2— () =(-lz (2) if and only if A=+1 


(mod pq). 
e) Show that A = 1 or —1 (mod pq) if and only if p =q = 1 (mod 4). 


(Hint: First, show that A=-+ |] a (mod pq), where U = {a € R | a = +1 (mod pq)} by pair- 


U 
ing together elements of R that have either 1 or —1 as their product. Then, consider the solutions 
of each of the congruences a? = 1 (mod pq) and a2 = —1 (mod pq).) 


f) Conclude from parts (d) and (e) that (— 1) oa () =(-1) or (2) if and only if p=q=1 
(mod 4). Deduce the law of quadratic reciprocity from this congruence. 


Computations and Explorations 


1. 


Use Pepin’s test to show that the Fermat numbers F¢, F5, and Fg are all composite. Can you 
go further? 


11.3 The Jacobi Symbol 443 


Programming Projects 


1. Evaluate Legendre symbols, using the law of quadratic reciprocity. 


2. Given a positive integer n, determine whether the nth Fermat number F, is prime, using 
Pepin’s test. 


11.3 The Jacobi Symbol 


In this section, we define the Jacobi symbol, named after the German mathematician 

C Carl Jacobi, who introduced it. The Jacobi symbol is a generalization of the Legendre 
symbol studied in the previous two sections. Jacobi symbols enjoy a reciprocity law 
identical to law of quadratic reciprocity, but which holds for all pairs of relatively prime 
odd integers. This reciprocity law reduces to the law of quadratic reciprocity for all pairs 
of distinct odd primes. We will also see the reciprocity law for Jacobi symbols can be 
used to efficiently evaluate Legendre symbols, unlike the law of quadratic reciprocity. 
Moreover, Jacobi symbols are also used to define another type of pseudoprimes, namely, 
Euler pseudoprimes, which are discussed in Section 11.4. 


Definition. Let be an odd positive integer with prime factorization n = pi p? ses pm 
and let a be an integer relatively prime to n. Then, the Jacobi symbol (2) is defined by 


Ge (eres) (as) ee 
an} \pip2---pmr] \pid \po Pm)’ 
where the symbols on the right-hand side of the equality are Legendre symbols. 


When (a, n) = 1, the Jacobi symbol (2) = +1, as each Legendre symbol in the definition 
is +1. When (a, n) # 1, we have (2) = 0. To see this, note that if (a, n) # 1, there must 


be a prime p dividing both a and n. This implies that the Legendre symbol (z), which 
equals 0, occurs in the definition of (4). 


Example 11.13. From the definition of the Jacobi symbol, we see that 


CARL GUSTAV JACOB JACOBI (1804-1851) was boro into a well-to-do 
German banking family. Jacobi received an excellent early education at home. 
He studied at the University of Berlin, mastered mathematics through the texts 
of Euler, and obtained his doctorate in 1825. In 1826, he became a lecturer at the 
University of Konigsberg; he was appointed a professor there in 1831. Besides 
his work in number theory, Jacobi made important contributions to analysis, 
geometry, and mechanics. He was also interested in the history of mathematics, 
and was a catalyst in the publication of the collected works of Euler, a job not 
yet completed although it was begun more than 125 years ago! 
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(2)=G5)=@) @)=eren=- 


(aes) = (Sr) = Cs) ) Gr) =) GG) Ga) 
-(3) @) @)- ever 2 


When n is prime, the Jacobi symbol is the same as the Legendre symbol. However, 
when n is composite, the value of the Jacobi symbol () does not tell us whether the 


congruence x” = a (mod n) has solutions. We do know that if the congruence x? = 
(mod n) has solutions, then (¢ a) = = 1. Tosee this, note that if p is a prime divisor of n a 
if x? =a (mod n) has solutions, then the Soneruenice x* =a (mod p) also has solutions. 


Thus, (5) = = 1. Consequently, (¢ )= IT. 1 (2 é a)! = 1, where the prime factorization of 
nisn=p, ‘1 pp: - pit . To see that it is possible that (£) = | when there are no solutions 
to x2 =a (mod n), let a =2 and n = 15. Note that (2) = (3) (3) Sen St 
However, there are no solutions to x” = 2 (mod 15), because the congruences 4S? 
(mod 3) and x* = 2 (mod 5) have no solutions. 


and 


Properties of Jacobi Symbols 
We now show that the Jacobi symbol enjoys some properties similar to those of the 
Legendre symbol. 
Theorem 11.10. Let be an odd positive integer and let a and b be integers relatively 
prime to n. Then 

(i) if a=b (mod n), then (¢) = (2); 

ai) (8) = (9G) 

Gil) (SF) =(-—n@?; 

: 2) = 2_1)/8 

(iv) (2) = (D8, 
Proof. Inthe proof of this theorem, we use the prime factorization n = pi p2-- - pin, 
Proof of (i). We know that if p is a prime dividing n, then a = b (mod p). Hence, by 


Theorem 11.4 (i), we have (<) = (2). Consequently, we see that 
Pp Pp 


GG) eG) ao) 
n Pi) \po Pm Pi) \po Pm n} 
Proof of (ii). By Theorem 11.4 (ii), we know that (2) = (+) (+) for i = 
1, 2, 3,..., m. Hence, 
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os 
=| 
Ne 
| 
oa 
= |& 
—" 
Ze 
wai 
— 
N 
oa 
= \8 
3 > 
a 
3 


Para ae er a 


II 
cates 


s | Z| 


Proof of (iii). Theorem 11.5 tells us that if p is prime, then (=) = (—1)-D/2, 


Consequently, 
Gs 
n}) \pi) \po Pm 
= (—1)1P1—D/2+ 82 (p2-D/2+-+ +t (Pm—D/2. 


Using the prime factorization of n, we see that 
n= (1+ (py — 1)". + (p2 — 0)? +--+ mn — D)™. 
Because p; — 1 is even, it follows that 
(1+ (p; — ))* = 1+ 4;(p; — 1) (mod 4) 
and 
(1+ 4(p; — DA + t;(p; — D) $14 4(p; — D +4;(p; — 1 (mod 4). 
Therefore, 
n=1+(p1— 1) +h(p2- 1) +--+ + bn(Pm — 1) (mod 4), 

which implies that 

(n — 1)/2 = t(p1 — 1)/2 + t2(p2 — 1)/2 +++ + + tn Pm — 1)/2 (mod 2). 
Combining this congruence for (n — 1)/2 with the expression for ($+) shows that 


(=) = (—1)@-D/2, 


Proof of (iv). By Theorem 11.6, if p is prime, then (2) = (—1)*-D/ 8 Hence, 


t t te 
(2) = (2) ; (2) "is (=) = (— yy"? /8+19(03—D /84---+n (P= D/8. 
n Pi P2 Pm 


As in the proof of (iii), we note that 
n* = (1+ (pt — 1) + (p5 — D)2--- + (p2 — D)™. 
Because p? — 1=0 (mod 8) fori = 1, 2, ..., m, we see that 


(1+ (p? — 1))* = 1+ 4;(p? — 1) (mod 64) 
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and 
(1+ 4,(p? — D+ t;(p} — )) = 14 f(p? — 1) + t)(p? — 1) (mod 64). 
Hence, 
n? = 14 (pe — 1) + (ph — 1) +--+ + ty (p>, — 1) (mod 64), 
which implies that 


(n? — 1)/8 = t(p? — 1)/8 + (p2 — D)/8 +--+ + ty (p2, — 1)/8 (mod 8). 


Combining this congruence for (n? — 1)/8 with the expression for (2) tells us that 
(2) = p-9e, n 


The Reciprocity Law for Jacobi Symbols 


We now demonstrate that the reciprocity law holds for the Jacobi symbol as well as the 
Legendre symbol. 


Theorem 11.11. The Reciprocity Law for Jacobi Symbols. Letn and m be relatively 
prime odd positive integers greater than 1. Then 


a) 
m n 
a; _ as by bz oes 


as Let the prime factorizations of m and n be m = p,'p,' - .- ps andn = q, 92° 


q?. We see that 
(= )- (2 =)" =I (2) 
i=1 j=1 qi 


i=1 


and 


Thus, 


(=) (2) =H) (*)) 


By the law of quadratic reciprocity, we know that 


2) (2) =e 
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Hence, 


(11.8) (=) (+ )- aan 1 ai(? Ya (= eg print jar )a( 4") 


i=1 j=1 
We note that 


da) -Eo(*-)Ea(4), 


i=1 j= 1 j=l 


As we demonstrated in the proof of Theorem 11.10 (iii), 


: p= 1 =| 
Ya 3 ) = 2 oa 2 


j=1 


and 


»,( 2) oT ana Dy, 
2 2 


gi-1\_m—1 n—- 
“) > 2 j=" 2 "(mod 2) 


Therefore, by equations (11.8) and (11.9), we can conclude that 


(™) (2) = cos. | 


Evaluating Legendre and Jacobi Symbols 


Thus, 


(11.9) a (AE 


i=1 j=1 


When we use quadratic reciprocity to evaluate Legendre symbols, we often have to 
factor one or more Legendre symbols before we can exchange the numerators and 
denominators of the Legendre symbols that arise. This is illustrated in Example 11.10 
03) 
integers, evaluating Legendre symbols by successive use of quadratic reciprocity is not 
efficient. As Jacobi realized, we can avoid this problem when we use Jacobi sybmols and 
their reciprocity law to compute Legendre symbols. Compare the following example to 


Example 11.10 to see the difference. 


where we calculated ( . As there is no efficient algorithm known for factoring 


Example 11.14. Successively using the reciprocity law for Jacobi symbols, Theorem 
11.11, and the properties of Jacobi symbols in Theorem 11.10, we find that 


(33) (82) = (85) = (35) 2)“ 
-(8)-(3)(3)--@)--@)-" 
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We have used the reciprocity law for Jacobi symbols to establish the first, fourth, and 
seventh equalities. We used part (i) of Theorem 11.10 to obtain the second, fifth, and 
eighth equalities, part (ii) to obtain the third and sixth equalities, and part (iv) to obtain 
the fourth, sixth, and ninth equalities. < 


We now use Theorem 11.10 and the reciprocity law for Jacobi symbols to develop 
an efficient algorithm for computing Jacobi symbols, and consequently, for computing 
Legendre symbols. Let a and b be relatively prime positive integers with a > b. Let 
Ro =a and R, = b. Using the division algorithm and factoring out the highest power of 
2 dividing the remainder, we obtain 


Ro = Ryqy + 2" Ro, 


where s; is a nonnegative integer and R is an odd positive integer less than R,;. When 
we successively use the division algorithm, and factor out the highest power of 2 that 
divides remainders, we obtain 


R, => RqQ2 + 2°2R3 
Ry => R3q3 + 2°3R4 


Ry-3 = Ry_-29n-2 + 2 Reet 
Ry-2 = Rn-19n-1 + 2in-1 . 1, 


where s; is a nonnegative integer and R; is an odd positive integer less than R,_, for 


j =2,3,...,n — 1. Note that the number of divisions required to reach the final equation 
does not exceed the number of divisions required to find the greatest common divisor of 
a and b using the Euclidean algorithm. 


We illustrate this sequence of equations with the following example. 


Example 11.15. Let a = 401 and b = 111. Then 
401 =111-3+27-17 
111=17-6+2°-9 
17=9-1+23-1. < 


Using the sequence of equations that we have described, together with the properties 
of the Jacobi symbol, we prove the following theorem, which gives an algorithm for 
evaluating Jacobi symbols. 


Theorem 11.12. Leta and b be positive integers with a > b. Then 


R2-1 R2 -1 : 7 

a 1 -1 Ry-1 Ro-1 Ry—2-1 Ry-1-1 
(; = (—1)"! Bote tsp a ta St te SS 

b 


? 


where the integers R j and s jp J=12,...,n—1, areas previously described. 
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Proof. From the first equation with (i), (ii), and (iv) of Theorem 11.10, we have 


(5)-(8)-C8)-(2)'@) or) 
b Ri R, Ri] \R, R, 


Using Theorem 11.11, the reciprocity law for Jacobi symbols, we have 


(Bs) ant" (Bi). 
Ri Ry 
2_ 
(5) = (ne tk (a): 
b R 


Similarly, using the subsequent divisions, we find that 


: apps R21 ; 
(==) _ py ge i ( R; 
Rj Rist 


for 7 =2,3,...,m— 1. When we combine all the equalities, we obtain the desired 
expression for (). = 


so that 


The following example illustrates the use of Theorem 11.12. 


Example 11.16. To evaluate (#1) , we use the sequence of divisions in Example 11.15 
and Theorem 11.12. This tells us that 


pm jae 2 as al = pe 
(2) = cones leptin 4 
111 

The following corollary describes the computational complexity of the algorithm 


for evaluating Jacobi symbols given in Theorem 11.12. 


Corollary 11.12.1. Leta and b be relatively prime positive integers with a > b. Then 
the Jacobi symbol (¢) can be evaluated using O ((log, b)*) bit operations. 


Proof. To find (?) using Theorem 11.12, we perform a sequence of O (log, b) divisions. 
To see this, note that the number of divisions does not exceed the number of divisions 
needed to find (a, b) using the Euclidean algorithm. Thus, by Lamé’s theorem, we know 
that O(log, b) divisions are needed. Each division can be done using O((log> b)*) bit 
operations. Each pair of integers R ; and s; can be found using O (log, b) bit operations 
once the appropriate division has been carried out. 


Consequently, O((log, b)*) bit operations are required to find the integers R a 
sj, J=1,2,...,n-1, from a and b. Finally, to evaluate the exponent of —1 in 
the expression for () in Theorem 11.12, we use the last three bits in the binary 
expansions of R pJH=L2,....n—1, and the last bit in the binary expansions of 
Sis j =1,2,...,n— 1. Therefore, we use O(log, b) additional bit operations to find 


(¢). Because O ((log, b)3) + O(log, b) = O(log, b)>), the corollary holds. | 
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. For which positive integers n that are relatively prime to 30 does the Jacobi symbol (2) 
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We can improve this corollary if we use more care when estimating the number of bit 
operations used by divisions. In particular, we can show that O((log, b)*) bit operations 
suffice for evaluating (§). We leave this as an exercise. 


EXERCISES 

Evaluate each of the following Jacobi symbols. 
(i) (ror) & (555) 
t (i) (mr) (rots) 


. For which positive integers n that are relatively prime to 15 does the Jacobi symbol (5) 


equal 1? 


nw 


equal 1? 


Suppose that n = pq, where p and q are primes. We say that the integer a is a pseudo-square 
modulo n if a is a quadratic nonresidue of n, but (2) —a ih 


on A un 


10. 


. Show that if a is a pseudo-square modulo n, then (2) = (2) =-1. 


. Find all the pseudo-squares modulo 21. 

. Find all the pseudo-squares modulo 35. 

. Find all the pseudo-squares modulo 143. 

. Let a and b be relatively prime integers such that b is odd and positive and a = (—1)°2'q, 


where q is odd. Show that 


a) py bgt st het (2 
(5) eae (;). 


. Letn be an odd square-free positive integer. Show that there is an integer a such that (a, n) = 1 


and (4) = —1. 

Let n be an odd square-free positive integer. 

a) Show that >> (+) = 0, where the sum is taken over all k in a reduced set of residues 
modulo n. (Hint: Use Exercise 9.) 


b) From part (a), show that the number of integers in a reduced set of residues modulo n such 
that (+) = 1 is equal to the number with (*) =—-1. 


. Leta and b = 7 be relatively prime odd positive integers such that 


a =1ro9qi + &4r] 
Yo =1192 + €2%2 


Yn—1=Tn—-19n-1 t+ Enlns 
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where q; is a nonnegative even integer, ¢; = +1, 7; is a positive integer with r; < 7;_,, for 
i=1,2,...,n,;,andr, = 1. Theseequations are obtained by successively using the modified 
division algorithm given in Exercise 18 of Section 1.5. 


a) Show that Jacobi symbol (¢) is given by 


1 1 nol et! -1 
2) _¢p isEes eee) 
b = (-1) . 


b) Show that the Jacobi symbol (¢) is given by 


*)\=(-1? 
(2)ecor 


where T is the number of integers i, 1 < i <n, withr;_| = ¢;r; = 3 (mod 4). 


* 12. Show that ifa and b are odd integers and (a, b) = 1, then the following reciprocity law holds 
for the Jacobi symbol: 


(+\(+)- ~(-)*8' ifa <Oandb <0; 
a— bt 
lb|7\l\al (-1I) = otherwise. 


In Exercises 13-19, we deal with the Kronecker symbol (named after Leopold Kronecker), a 
generalization of the Jacobi symbol and which is defined even when the integer in the symbol 
(¢) is even. Let a be a positive integer that is not a perfect square such that a = 0 or 1 (mod 4). 
We define the Kronecker symbol by setting: 


a\ _ 1 ifa=1(mod 8); 
2) |-1 ifa=5(mod 8), 

(¢ ) = the Legendre symbol (2 ) if p is an odd prime such that p / a, and 
P 


r tj 
@) = I] (<) if (a,n) = 1andn=[]}_, p; is the prime factorization of n. 


j= \Pi 


13. Evaluate each of the following Kronecker symbols. 
o(8) 9 @) 9) 


For Exercises 14-19, let a be a positive integer that is not a perfect square such that a = 0 or 1 
(mod 4). 


14. Show that ( = (3) if 2 a, where the symbol on the right is a Jacobi symbol. 


15. Show that ifn, and, are positive integers and if (a), n1, n2) = 1, then (545) = (+) . (+). 


* 16. Show that if n is a positive integer relatively prime to a and if a is odd, then (¢) = (2); 
whereas if a is even and a = 2°t, where ¢ is odd, then 
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()-C ew (a) 


* 17. Show that if, and 72 are positive integers greater than 1 relatively prime to a and 2, =n 


(mod |a]), then (+) = (+). 


nz 
* 18. Show that if | a |> 3, then there exists a positive integer” such that (2) =-—1. 


: 7 ae 1 ife>O; 

* 19. Show that if a 4 0, then (f-1) = -1 ife<0. 
20. Show that if a and b are relatively prime integers with a < b, then the Jacobi symbol ($) can 
be evaluated using O((log, b)) bit operations. 


LEOPOLD KRONECKER (1823-1891) was bom in Liegnitz, Prussia, to 
prosperous Jewish parents. His father was a successful businessman and his 
mother came from a wealthy family. As a child, Kronecker was taught by 
private tutors. He later entered the Liegnitz Gymnasium, where he was taught 
mathematics by the number theorist Kummer. Kronecker’s mathematical talents 
were quickly recognized by Kummer, who encouraged Kronecker to engage in 
mathematics research. In 1841, Kroneclser entered Berlin University, where he 
studied mathematics, astronomy, meteorology, chemistry, and philosophy. In 
1845, Kronecker wrote his doctoral thesis on algebraic number theory; his supervisor was Dirichlet. 

Kronecker could have begun a promising academic career, but instead he returned to Liegnitz 
to help manage the banking business of an uncle. In 1848, Kronecker married a daughter of this 
uncle. During his time back in Liegnitz, Kronecker continued his research for his own enjoyment. In 
1855, when his family obligations eased, Kroneclser returned to Berlin. He was eager to participate 
in the mathematical life of the university. Not holding a university post, he did not teach any classes. 
However, he was extremely active in research, and he published extensively in number theory, elliptic 
functions and algebra, and their interconnections. In 1860, Kronecker was elected to the Berlin 
Academy, giving him the right to lecture at Berlin University. He took advantage of this opportunity 
and lectured on number theory and other mathematical topics. Kroneckser’s lectures were considered 
very demanding but were also considered to be stimulating. Unfortunately, he was not a popular 
teacher with average students; most of these dropped out of his courses by the end of the semester. 

Kronecker was a strong believer in coustructive mathematics, thinking that mathematics should 
be concemed only with finite numbers and with a finite number of operations. He doubted the validity 
of nonconstructive existence proofs and was opposed to objects defined nonconstructively, such 
as irrational numbers. He did not believe that transcendental numbers could exist. He is famous 
for his statement: “God created the integers, all else is the work of man.” Kronecker’s belief in 
constructive mathematics was not shared by most of his colleagues, although he was not the only 
prominent mathematician to hold such beliefs. Many mathematicians found it difficult to get along 
with Kronecker, especially because he was prone to fallings out over mathematical disagreements. 
Also, Kronecker was self-conscious about his short height, reacting badly even to good-aatured 
references to his short stature. 
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Computations and Explorations 
1. Find the value of the Legendre symbol (8 2). 


2. Find the value of the following Jacobi symbols: (tin): (<aaigrass) and 


791 5,400, 207,333 
320,001 
11,111, 111,111,111 )° 


Programming Projects 


1. Evaluate Jacobi symbols using the method of Theorem 11.12. 
2. Evaluate Jacobi symbols using Exercises 8 and 11. 
3. Evaluate Kronecker symbols (as defined in the preamble to Exercise 13). 


11.4 Euler Pseudoprimes 


Let p be an odd prime number and let b be an integer not divisible by p. By Euler’s 
criterion, we know that 


pe-D/2 = (*) (mod p). 


Hence, if we wish to test the odd positive integer n for primality, we can take an integer 
b, with (b, n) = 1, and determine whether 


pe-D/2 = (7) (mod n), 
n 


where the symbol on the right-hand side of the congruence is the Jacobi symbol. If we 
find that this congruence fails, then n is composite. 


Example 11.17. Letn = 341andb = 2. We calculate that 2!”° = 1 (mod 341). Because 
341 = —3 (mod 8), using Theorem 11.10 (iv), we see that (3:) = —1. Consequently, 


pe (sr) (mod 341). This demonswates that 341 is not prime. < 


Thus, we can define a type of pseudoprime based on Euler’s criterion. 
Definition. An odd, composite, positive integer n that satisfies the congruence 
(n-n/2_ (2 
b =({—] (moda), 
n 
where b is a positive integer, is called an Euler pseudoprime to the base b. 


An Euler pseudoprime to the base b is a composite integer that masquerades as a 
prime by satisfying the congruence given in the definition. 
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Example 11.18. Let nm = 1105 and b= 2. We calculate that 2952 = 1 (mod 1105). 


Because 1105 = 1 (mod 8), we see that (xs) = 1. Hence, 25°2 = (ahs (mod 1105). 


Because 1105 is composite, it is an Euler pseudoprime to the base 2. < 


The following theorem shows that every Euler pseudoprime to the base b is a 
pseudoprime to this base. 


Theorem 11.13. If7 is an Euler pseudoprime to the base b, then n is a pseudoprime 
to the base b. 


Proof. Ifn is an Euler pseudoprime to the base 5, then 
pa-D/2 — (7) (mod n). 
n 


Hence, by squaring both sides of this congruence, we find that 
b\? 
(p@—D/2)2 = (7) (mod n). 
n 


Because (4) = +1, we see that b”~! = 1 (mod n), which means that n is a pseudoprime 
to the base b. rT 


Not every pseudoprime is an Euler pseudoprime. For example, the integer 341 is 
not an Euler pseudoprime to the base 2, as we have shown, but is a pseudoprime to this 
base. 


We know that every Euler pseudoprime is a pseudoprime. Next, we show that every 
strong pseudoprime is an Euler pseudoprime. 


Theorem 11.14. If is a strong pseudoprime to the base b, then 7 is an Euler pseudo- 
prime to this base. 


Proof. Let n be a strong pseudoprime to the base b. Then, if n — 1 = 2°t, where t is 
odd, either b' = 1 (mod n) or b” * = —1(mod n), where 0 <r <s —1.Letn = | ear pe 
be the prime-power factorization of n. 


First, consider the case where b’ = 1 (mod n). Let p be a prime divisor of n. Because 
b' = 1 (mod p), we know that ord,,b | t. Because t is odd, we see that ord,b is also 
odd. Hence, ord,b | (p — 1)/2, because ord,b is an odd divisor of the even integer 
o(p) = p — 1. Therefore, 


pP—-D/2 = 1 (mod p). 


Consequently, by Euler’s criterion, we have (4) =, 


To compute the Jacobi symbol (4) , we note that (4) = | for all primes p dividing 
n. Hence, 
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b b = ( b\* 
n Viet Pi fat SPE 


Because b’ = 1 (mod n), we know that b@—)/2 = (bt) = 1 (mod n). Therefore, we 
have 


pe-b/2 = (2) = 1 (mod n). 
n 
We conclude that n is an Euler pseudoprime to the base b. 
Next, we consider the case where 

b*' =—1(mod n) 
for some r with 0 <r <s — 1. If p is a prime divisor of n, then 

b** = —1(mod p). 
Squaring both sides of this congruence, we obtain 

pert = 1 (mod p), 


which implies that ord,,b | 2’ +14, and from the previous congruence we know that 
ord,b {2"t. Hence, 


ord,b = 2'tc, 


where c is an odd integer. Because ord,b | (p — 1) and oer | ord,,b, it follows that 
2°+11 (p — 1). Therefore, we have p = 2”+!d + 1, where d is an integer. Because 


pordpb)/2 =-—] (mod P); 


we have 
( b ) = p(p—D/2 = p (ord pb/2)((p—1)/ord yb) 
Pp 
Because c is odd, we know that (—1)° = —1. Hence, 
b ( —1)/2'+! d 
(11.10) —]=(-)lY” =(-), 
Pp 


recalling that d = (p — 1)/2'*!. Because each prime p; dividing n is of the form p; = 
2+1q; + 1, it follows that 
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m 
=[Ja+2"+a4,) 


m 
14+2'*! 5° ajd; (mod 2” **). 
i=1 
Therefore, 
m 
12°! = (n — 1)/2=2" ) ajd; (mod 2’*), 
i=l 
This congruence implies that 
125-1" = °™ ,a;d; (mod 2) 
and 
C11) POD? = BHF = (7 = (1% (mod n). 
On the other hand, from (11.10), we have 
m a; m m ai 
(7) =|] (=) =T] ny = [cnt = pda, 
i=l \¥ i=l i=1 


Therefore, combining the preceding equation with (11.11), we see that 


pe-d/? — (2) (mod n). 
n 


Consequently, n is an Euler pseudoprime to the base b. "= 


Although every strong pseudoprime to the base b is an Euler pseudoprime to this 
base, note that not every Euler pseudoprime to the base b is a strong pseudoprime to the 
base b, as the following example shows. 


Example 11.19. We have shown in Example 11.18 that the integer 1105 is an Euler 
pseudoprime to the base 2. However, 1105 is not a strong pseudoprime to the base 2, 
because 


2(1105-1)/2 — 9552 — | (mod 1105), 
whereas 


y(1105- 1/2? _ 9276 — 781 ¢ +1 (mod 1105). 
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Although an Euler pseudoprime to the base b is not always a strong pseudoprime to 
this base, when certain additional conditions are met, an Euler pseudoprime to the base 
b is, in fact, a strong pseudoprime to this base. The following two theorems give results 
of this kind. 


Theorem 11.15. If =3 (mod 4) and z is an Euler pseudoprime to the base b, then n 
is a strong pseudoprime to the base b. 


Proof. From the congruence n = 3 (mod 4), we know that n — 1=2-t, where t = 
(n — 1)/2 is odd. Because n is an Euler pseudoprime to the base J, it follows that 


bf =be-D?2 = (2) (mod n). 
n 
Because (t) = +1, we know that either b‘ = 1 (mod n) or b' = —1 (mod n). 
Hence, one of the congruences in the definition of a swong pseudoprime to the base 
b must hold. Consequently, 7 is a swong pseudoprime to the base b. 7 


Theorem 11.16. If is an Euler pseudoprime to the base b and (£) = —1,thennisa 
strong pseudoprime to the base b. 


Proof. Wewrite n — 1 = 2*t, where t is odd and s is a positive integer. Because 7 is an 
Euler pseudoprime to the base b, we have 


pt —pe-D2 = (>) (mod n). 
n 


But because (t) = —1, we see that 


n 
pi?" = —1 (mod n). 


This is one of the congruences in the definition of a strong pseudoprime to the base b. 
Because 7 is composite, it is a swong pseudoprime to the base b. rT 


Using the concept of Euler pseudoprimality, we will develop a probabilistic primal- 
ity test. This test was first suggested by Solovay and Strassen [SoSt 77]. 


Before presenting the test, we give some helpful lemmas. 


Lemma 11.4. If 7 is an odd positive integer that is not a perfect square, then there is at 
least one integer b with 1 < b <n, (b, n) = 1, and (4) = —1, where (2) is the Jacobi 
symbol. 

Proof. If n is prime, the existence of such an integer b is guaranteed by Theorem 11.1. 


If n is composite, because n is not a perfect square, we can write m = rs, where (r, s) = 1 
and r = p*, with p an odd prime and e an odd positive integer. 


Now let t be a quadratic nonresidue of the prime p; such at exists by Theorem 11.1. 
We use the Chinese remainder theorem to find an integer b such that 1 < b <n, (b, n) = 1, 
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and such that b satisfies the two congruences 


b=t (modr) 
b=1(mod s). 
Then 
(2)-(2)-(B) car 
r pe p 
and (2) = 1. Because (4) = (2) (2), it follows that (4) =-l. | 


Lemma 11.5. Let be an odd composite integer. Then there is at least one integer b 
with 1 < b <n, (b, n) = 1, and 


pe? 2 (7) (mod n). 
n 


Proof. Assume, for all positive integers not exceeding n and relatively prime to 7, that 
(11.12) pa-Y/2 — (*) (mod n). 
n 


Squaring both sides of this congruence tells us that 


b 2 
bts (2) = (+1)? = 1 (mod n), 

n 
if (b, n) = 1. Hence, m must be a Carmichael number. Therefore, by Theorem 9.24, we 
know that n = q1q> ---q,, where q;, 92, ..., q, are distinct odd primes. 

We will now show that 
b@-)/2 = 1 (mod n) 
for all integers b with 1 < b <n and (b, n) = 1. Suppose that b is an integer such that 
b@-D/2 = —1 (mod n). 


We use the Chinese remainder theorem to find an integer a with 1 < a <n, (a, n) = 1, 
and 

a =b (mod q;) 

a = 1 (mod 493° - - 9r)- 


Then, we observe that 


(11.13) a®—D/2 = p@-Y/2 = _1 (mod q)), 
whereas 
(11.14) a®—D/? = 1 (mod qnq3--: q;)- 


From congruences (11.13) and (11.14), we see that 


a"—D/2 4 +1 (mod n), 
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contradicting congruence (11.12). Hence, we must have 
b@-D/2 = 1 (mod n), 


for all b with 1 < b < nand (b, n) = 1. Consequently, from hypotheses (11.12), we know 
that 


(2) = b-)/? == | (mod n) 
n 
which implies that B = 1 for all b with 1 < b <n and (b, n) = 1. However, Lemma 


11.4 tells us that this is impossible. Hence, the original assumption is false. There must 
be at least one integer b with 1 < b < n, (b, n) = 1, and 


pe-D? x (?) (mod n). | 
n 


We can now state and prove the theorem that is the basis of the probabilistic primality 
test. 


Theorem 11.17. Let 1 be an odd composite integer. Then the number of positive 
integers less than n and relatively prime to n that are bases to which n is an Euler 
pseudoprime does not exceed $(n)/2. 


Proof. By Lemma 11.5, we know that there is an integer b with 1 < b <n, (b, n) = 1, 
and 


(11.15) pee (2) (mod n). 
n 
Now, let aj, a2, .. . , d, denote the integers satisfying 1 <a jn, G@j,n)=1, and 
a . 
(11.16) ane = (<4) (mod n), 
n 


for j =1,2,...,m. 


Let rj, 72, ---, Tm be the least positive residues of the integers ba,, bay, .. ., ban 
modulo n. We note that the integers r; are distinct and that (r;,n)=1 for j = 
1, 2, ..., m. Furthermore, 


(11.17) per (2 ) (mod n); 


n 


for, if it were true that 


then we would have 
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which would imply that 


— a j 
pe Rg Ne = (°) (<) (mod n), 
n 


n 


and because (11.16) holds, we would have 


pe-D? — (*) (mod n), 
n 


contradicting (11.15). 


Because a;, j = 1,2,...,m, satisfies the congruence (11.16), whereas fe h= 
1,2,...,m, does not, as (11.17) shows, we know that these two sets of integers share 
no common elements. Hence, looking at the two sets together, we have a total of 2m 
distinct positive integers less than n and relatively prime to n. Because there are $(n) 
integers less than n that are relatively prime to n, we can conclude that 2m < ¢(n), so 
that m < $(n)/2. This proves the theorem. = 


By Theorem 11.17, we see that if n is an odd composite integer, when an integer 
b is selected at random from the integers 1, 2,...,m — 1, the probability that n is an 
Euler pseudoprime to the base b is less than 1/2. This leads to the following probabilistic 
primality test. 


Theorem 11.18. The Solovay-Strassen Probabilistic Primality Test. Letn bea pos- 
itive integer. Select, at random, k integers b,, bo, ..., b, from the integers 1,2,..., 
n — 1. For each of these integers b psi= 1,2, ...,k, determine whether 


b: 
poe = (-) (mod n). 
n 


If any of these congruences fails, then n is composite. If n is prime, then all these 
congruences hold. If n is composite, the probability that all k congruences hold is less 
than 1/2*. Therefore, if n passes this test when k is large, then n is “almost certainly 
prime.” 


Because every strong pseudoprime to the base b is an Euler pseudoprime to this base, 


more composite integers pass the Solovay-Strassen probabilistic primality test than the 
Rabin probabilistic primality test, although both require O(k(log, n)3) bit operations. 


EXERCISES 


1. Show that the integer 561 is an Euler pseudoprime to the base 2. 
2. Show that the integer 15,841 is an Euler pseudoprime to the base 2, a strong pseudoprime to 


the base 2, and a Carmichael number. 


3. Show that if n is an Euler pseudoprime to the bases a and b, then n is an Euler pseudoprime 


to the base ab. 


4. Show that if n is an Euler pseudoprime to the base b, then v is also an Euler pseudoprime to 


the base n — b. 
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5. Show that ifn =5 (mod 8) and 7 is an Euler pseudoprime to the base 2, then 7 is a strong 
pseudoprime to the base 2. 


6. Show that if m = 5 (mod 12) and n is an Euler pseudoprime to the base 3, then n is a strong 
pseudoprime to the base 3. 

7. Find a congruence condition for an Euler pseudoprime 7 to the base 5 that guarantees that n 
is a strong pseudoprime to the base 5. 


** 8. Let the composite positive integer n have prime-power factorization n = p{'p>? - - - pm, 
where p; = 1+ 2"/q; for j = 1,2,..., m, where ky <kp <--- <k», and wheren = 1+ 2*q. 


Show that 7 is an Euler pseudoprime to exactly 


b, | J - 0/2, pj - 0) 


j=l 


different bases b with 1 < b <n, where 


2 ifk, =k; 
6, = 4 1/2 ifk; < k anda; is odd for some j; 
1 otherwise. 


9. For how many integers b, 1 < b < 561, is 561 an Euler pseudoprime to the base b? 
10. For how many integers b, 1 < b < 1729, is 1729 an Euler pseudoprime to the base b? 


Computations and Explorations 


1. Find all Euler pseudoprimes to the base 2 less than 1,000,000. Do the same thing for the bases 
3, 5, 7, and 11. Devise a primality test based on your results. 

2. Find 10 integers, each with between 5O and 60 decimal digits, that are “probably prime” 
because they pass more than 20 iterations of the Solovay-Strassen probabilistic primality 
test. 


Programming Projects 


1. Given an integer n and a positive integer b greater than 1, determine whether 7 passes the 
test for Euler pseudoprimes to the base b. 


2. Given an integer n, perform the Solovay-Strassen probabilistic primality test on 7. 


11.5 Zero-Knowledge Proofs 


Suppose that you want to convince another person that you have some important private 
information, without revealing this information. For example, you may want to convince 
someone that you know the prime factorization of a 200-digit positive integer without 
telling them the prime factors. Or you may have a proof of an important theorem 
and you want to convince the mathematical community that you have such a proof 
without revealing it. In this section, we will discuss methods, commonly known as Zero- 
t knowledge or minimum-disclosure proofs, that can be used to convince someone that you 
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have certain private, verifiable information, without revealing it. Zero-knowledge proofs 
were invented in the mid-1980s. 


In a zero-knowledge proof, there are two parties, the prover, the person who has the 
secret information, and the verifier, who wants to be convinced that the prover has this 
secret information. When a zero-knowledge proof is used, the probability is extremely 
small that someone who does not have the information can successfully cheat the verifier 
by masquerading as the prover. Moreover, the verifier learns nothing, or almost nothing, 
about the information other than that the prover possesses it. In particular, the verifier 
cannot convince a third party that the verifier knows this information. 


Remark. Because zero-knowledge proofs supply the verifier with a small amount of in- 
formation, zero-knowledge proofs are more properly called minimum-disclosure proofs. 
Nevertheless, we will use the original terminology for such proofs. 


We will illustrate the use of zero-knowledge proofs by describing several examples 
of such proofs, each based on the ease of finding square roots modulo products of two 
primes compared with the difficulty of finding square roots when the two primes are not 
known. (See the end of Section 11.1 for a discussion of this topic.) 


Our first example presents a proposed scheme for a zero-knowledge proof that turned 
out to have a flaw making it unsuitable for this use. Nevertheless, we introduce this 
scheme as our first example because it illustrates the concept of zero-knowledge proofs 
and is relatively simple. Moreover, understanding why it fails to be a valid scheme for 
zero-knowledge proofs adds valuable insight (see Exercise 11). In this scheme, Paula, 
the prover, attempts to convince Vince, the verifier, that she knows the prime factors of 
n, where n is the product of two large primes p and q, without helping him find these 
two prime factors. 


When this scheme was originally devised, it was thought that someone who does 
not know p and q would be unable to find the square root of y modulo n in a reasonable 
amount of time, unlike Paula, who knows these primes. This turns out not to be the case, 
as Exercise 11 illustrates. 


The proposed scheme is based on iterating the following procedure. 


(i) Vince, who knows n, but not p and qg, chooses an integer x at random. He 
computes y, the least nonnegative residue of x* modulo n, and sends this to 
Paula. 


(ii) When Paula receives y, she computes its square root modulo n. (We will explain 
how she can do this after describing the steps of the procedure.) This square 
root is the least positive residue of x modulo n. She sends this integer to Vince. 


(iii) Vince checks Paula’s answer by finding the remainder of x” when it is divided 
by n. 


To see why Paula can find the least positive residue of x” modulo n in step (ii), note 
that because she knows p and q, she can easily find the four square roots of x* modulo 
n. Next, note that only one of the four square roots of x* modulo n is a quadratic residue 
modulo n (see Exercise 3). So, to find x”, she can select the correct square root of the 


11.5 Zero-Knowledge Proofs 463 


four square roots of x* modulo n by computing the value of the Legendre symbols of 
each of these square roots modulo p and modulo q. Note that someone who does not 
know p and q is unable to find the square root of y modulo n in a reasonable amount of 
time, unlike Paula, who knows these primes. 


We illustrate this procedure in the following example. 


Example 11.20. Suppose that Paula’s private information is her factorization of n = 
103 - 239 = 24,617. She can use the procedure just described to convince Vince that 
she knows the primes p = 103 and g = 239 without revealing them to him. (In practice, 
primes p and q with hundreds of digits would be used, rather than the small primes used 
in this example.) 


To illustrate the procedure, suppose that in step (i) Vince selects the integer 9134 at 
random. He computes the least positive residue of 9134+ modulo 24,617, which equals 
20,682. He sends the integer 20,682 to Paula. 


In step (ii), Paula determines the integer x? using the congruences 


x2 = +20,682193+D/4 — +90,68276 = +59 (mod 103) 
x2 = +20,682739+)/4 — 420,682 = +75 (mod 239). 


(Note that we have used the fact that when p = g = 3 (mod 4), the solutions of x7 =a 
(mod p) and x” =a (mod q) are x2 = +a?+)/4 (mod p) and x? = +a9+)/4 (mod q), 
respectively.) 


Because x? is a quadratic residue modulo 24,627 = 103 - 239, we know that it also 


is a quadratic residue modulo 103 and 239. Computing Legendre symbols, we find that 


(%) = 1, (788) = -1, (3) = 1, and (=) = = —1. Therefore, Paula finds x2 by 


solving the system x* = 59 (mod 103) and x* =75 (mod 239). When she solves this 
system, she concludes that x? = 2943 (mod 24,617). 


In step (iii), Vince checks Paula’s answer by noting that x” = 91347 = 2943 (mod 
24,617). < 


We now describe a method to verify the identity of the prover, based on zero- 
knowledge techniques, invented by Shamir in 1985. We again suppose that n = pq, 
where p and q are two large primes both congruent to 3 modulo 4. Let J be a positive 
integer that represents some particular information, such as a personal identification 
number. The prover selects a small positive integer c, which has the property that the 
integer v obtained by concatenating J with c (the number obtained by writing the digits 
of I followed by the digits of c) is a quadratic residue modulo n. (The number c can be 
found by trial and error, with probability close to 1/2.) The prover can easily find u, a 
square root of v modulo n. 


The prover convinces the verifier that she knows the primes p and q using an 
interactive proof. Each cycle of the proof is based on the following steps. 
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(i) The prover, Paula, chooses a random number 7, and sends to the verifier a 
message containing two values: x, where x = r2 (mod n), 0 < x <n, and y, 
where y = vx (mod n), 0 < y <n. Here, as usual, x is an inverse of x modulo n. 


(ii) The verifier, Vince, checks that xy = v (mod n) and chooses, at random, a bit 
b, which he sends to the prover. 


(iii) If the bit b sent by Vince is 0, Paula sends 7 to Vince. Otherwise, if the bit b is 
1, Paula sends the least positive residue of u 7 modulo n, where is an inverse 
of r modulo n. 


(iv) Vince computes the square of what Paula has sent. If Vince sent a 0, he checks 
that this square is x, that is, that r-=x (mod n). If he sent a 1, he checks that 
this square is y, that is, that s* = y (mod n). 


This procedure is also based on the fact that the prover can find u, a square root of 
v modulo n, whereas someone who does not know p and q will not be able to compute 
a square root modulo n in a reasonable amount of time. 


The four steps of this procedure form one cycle. Cycles can be repeated sufficiently 
often to guarantee a high degree of security, as we will subsequently describe. 


We illustrate this type of zero-knowledge proof with the following example. 


Example 11.21. Suppose Paula wants to verify her identity to Vince by convincing 
him that she knows the prime factors of n = 31 - 61 = 1891. Her identification number is 
I = 391. Note that 391 is a quadratic residue of 1891 because, as the reader can verify, it 
is a quadratic residue of both 31 and 61, so she can take v = 391 (that is, in this case, she 
does not have to concatenate an integer c with J). Paula finds that u = 239 is a square 
root of 391 modulo 1891. She can easily perform this calculation, because she knows 
the primes 31 and 61. (Note that we have selected small primes p and q in this example 
to illustrate the procedure. In practice, primes with hundreds of digits should be used.) 


We illustrate one cycle of this procedure. In step (i), Paula chooses a random number, 
say, r = 998. She sends Vince two numbers, x = r? = 9982 = 1338 (mod 1891) and 
y =v xX = 391- 1296 = 1839 (mod 1891). 


In step (ii), Vince checks that xy = 1338 - 1839 = 391 (mod 1891) and chooses, at 
random, a bit b, say, b = 1, which he sends to Paula. 


In step (iii), Paula sends s = u r = 239 - 1855 = 851 (mod 1891) to Vince. Finally, 
in step (iv), Vince checks that s? = 8517 = 1839 = y (mod 1891). < 


Note that if the prover sends the verifier both and s, the verifier will know the private 
information u = rs, which is the secret information held by the prover. By passing the 
test with sufficiently many cycles, the prover has shown that she can produce either 7 or 
s on request. It follows that she must know u because, in each cycle, she knows both r 
and s. The choice of the random bit by the verifier makes it impossible for someone to 
fix the procedure by using numbers that have been rigged to pass the test. For example, 
someone could compute the square of a known number r and send x = r?, instead of 
choosing a random number. Similarly, someone could select a number x such that vx is 
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a known square. However, it is impossible to do precalculations to make both x and y 
the squares of known numbers without knowing u. 


Because the bit chosen by the verifier is chosen at random, the probability that it 
will be a 0 is 1/2, as is the probability that it will be a 1. If someone does not know u, 
the square root of v, the probability that they will pass one iteration of this test is almost 
exactly 1/2. Consequently, the probability that someone masquerading as the prover will 
pass the test with 30 cycles is approximately 1/22, which is less than one in a billion. 


A variation of this procedure, known as the Fiat-Shamir method, is the basis for 
verification procedures used by smart cards, such as for verifying personal identification 
numbers. 


Next, we describe a method that can be used to prove, using a zero-knowledge 
proof, that someone has certain information. Suppose that the prover, Paula, has in- 
formation represented by a sequence of numbers vj, v2, ..., U,, Where 1 < v j<n for 
j =1,2,...,m.Here, as before, n is the product of two primes p and q that are both con- 
gruent to 3 modulo 4. Paula makes public the sequence of integers 51, 52, ... , 5,,, Where 
s;= v; (mod n), 1 < s; <n. Paula wants to convince the verifier, Vince, that she knows 
the private information v,, v2, ..., U,, Without revealing this information to Vince. What 


Vince knows is her public modulus n and her public information s), 59, ... , Siy- 


The following procedure can be used to convince Vince she has this information. 
Each cycle of the procedure has the following steps. 


(i) Paula chooses a random number r and computes x = r”, which she sends to 
Vince. 


(ii) Vince selects a subset S of the set {1, 2, . .. , m} and sends this subset to Paula. 


(iii) Paula computes y, the least positive residue modulo n of the product of r and 
the integers Vj; with j in S, thatis, y =r Iljes v; (mod n), 0 < y <n, and she 
sends y to Vince. 

(iv) Vince verifies that x = yz (mod n), where z is the product of the integers s,, 
with j in S, that is, z= ITjes s; (mod n), 0 <z <n. 


Note that the congruence in step (iv) holds, because 


= r* (mod n). 


The random number r is used so that the verifier cannot determine the value of the integer 
v;, part of the secret information, by selecting the set S = {j}. When this procedure is 
carried out, the verifier is given no new information that will help him determine the 
private information v, ..., U- 
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We illustrate one cycle of this interactive zero-knowledge proof in the following 
example. 


Example 11.22. Suppose that Paula wants to convince Vince that she has secret 
information, which is represented by the integers v; = 1144, vy = 877, v3 = 2001, v4 = 
1221, and vs; = 101. Her secret modulus is n = 47 - 53 = 2491. (In practice, primes with 
hundreds of digits are used rather than the small primes used in this example.) 


Her public information consists of the integers s;, with s; = v2 (mod 2491), 0 < 
5, < 2491, j= 1,2,3,4,5. It follows, after routine calculation, that her public information 
consists of the integers s; = 197, sy = 2453, s3 = 1553, s4 = 941, and s5 = 494. 

Paula can convince Vince that she has the secret information using the procedure 
described in the text. We describe one cycle of the procedure. In step (i), Paula chooses 
a random number, say, r = 1253. Next, she sends x = 679, the least positive residue of 
r2 modulo 2491, to Vince. 


In step (ii), Vince selects a subset of {1, 2, 3, 4, 5}, say, s = {1, 3, 4, 5}, and informs 
Paula of this choice. 


In step (iii), Paula computes the number y, with 0 < y < 2491 and 


Y =PvyV3VU4U5 
= 1253 - 1144-2001 - 1221-101 
= 68 (mod 2491). 


Consequently, she sends y = 68 to Vince. 


Finally, in step (iv), Vince confirms that x = y*s,s35455 (mod 2491) by verifying 
that x = 679 = 687 - 197 - 1553 - 941 - 494 (mod 2491). 


Vince can ask Paula to run through more cycles of this procedure to verify that she 
does have the secret information. He stops when he feels that the probability that she is 
cheating is small enough to satisfy his needs. < 


How can the prover cheat in this interactive procedure for zero-knowledge proofs 
of information? That is, how can the prover fool the verifier into thinking that she really 
knows the private information v,, ..., v,, when she does not? The only obvious way 
is for the prover to guess the set S before the verifier supplies this; in step (i), to take 
x=r? I] jes vs: and in step (iii), to take y = r. Because there are 2” possible sets S (as 
there are that many subsets of {1, 2, .. . , m}), the probability that someone not knowing 
the private information fools the verifier using this technique is 1/2”. Furthermore, when 
this cycle is iterated T times, the probability decreases to 1/2”! . For instance, if m = 10 
and T = 3, the probability of the verifier being fooled is less than one in a billion. 


In this section, we have only briefly touched upon zero-knowledge proofs. The 
reader interested in leaming more about this subject should refer to the chapter by 
Goldwasser in [Po90], as well as to the reference supplied in that chapter. 


11.5 
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EXERCISES 


. Suppose that n = 3149 = 47 - 67 and that x* = 2070 (mod 3149). Find the least nonnegative 


residue of x? modulo 3149. 


. Suppose that n = 11,021 = 103 - 107 and that x* = 1686 (mod 11,021). Find the least non- 


negative residue of x* modulo 11,021. 


. Suppose that n = pq, where p and q are primes both congruent to 3 modulo 4, and that x is 


an integer relatively prime to n. Show that of the four square roots of x* modulo a, only one 
is the least nonnegative residue of a square of an integer. 


. Suppose that Paula has identification number 1760 and modulus 1961 = 37 - 53. Show how 


she verifies her identity to Vince in one cycle of the Shamir procedure, if she selects the 
random number 1101 and he chooses 1 as his random bit. 


. Suppose that Paula has identification number 7 and modulus 1411 = 17 - 83. Show how she 


verifies her identify to Vince in one cycle of the Shamir procedure, if she selects the random 
number 822 and he chooses 1 as his random bit. 


. Run through the steps used to verify that the prover has the secret information in Example 


11.22, when the random number r = 888 is selected by the prover in step (i) and the verifier 
selects the subset {2, 3, 5} of {1, 2, 3, 4, 5}. 


- Run through the steps used to verify that the prover has the secret information in Example 


11.22, when the random number r = 1403 is selected by the prover in step (i) and the verifier 
selects the subset {1, 5} of {1, 2, 3, 4, 5}. 


. Let n = 2491 = 47 - 53. Suppose that Paula’s identification information consists of the se- 


quence of six numbers v, = 881, v2 = 1199, v3 = 2144, vy = 110, v5 = 557, and v6 = 2200. 

a) Find Paula’s public identification information, s,, 52, 53, 54, 55, S6- 

b) Suppose that Paula selects at random the number r = 1091, and Vince chooses the subset 
S = 2, 3, 5, 6 and sends this to Paula. Find the number that Paula computes and sends 
back to Vince. 


c) What computation does Vince make to verify Paula’s knowledge of her secret information? 


. Let 2 = 3953 = 59 - 67. Suppose that Paula’s identification information consists of the se- 


quence of six numbers v; = 1001, vz = 21, v3 = 3097, v4 = 989, v5 = 157, and vg = 1039. 

a) Find Paula’s public identification information s,, 52, 53, 54, 55, 56- 

b) Suppose that Paula selects at random the number r = 403, and Vince chooses the subset 
S = {1, 2, 4, 6} and sends this to Paula. Find the number that Paula computes and sends 
back to Vince. 

c) What computation does Vince make to verify Paula’s knowledge of her secret information? 


Suppose that n = pq, where p and q are large odd primes and that you are able to efficiently 
extract square roots modulo n without knowing p and q. Show that you can, with probability 
close to 1, find the prime factors p and q. (Hint: Base your algorithm on the following 
procedure. Select an integer x. Extract a square root of the least nonnegative residue of x? 
modulo n. You will need to show that there is a 1/2 chance that you found a square root not 
congruent to +x modulo 2.) 


In this exercise, we expose a flaw in the proposed scheme of a zero-knowledge proof presented 
prior to Example 11.20. Suppose that Vince randomly chooses integers w until he finds a 
value of w for which the Jacobi symbol (*) equals —1 and that he sends Paula z, the least 
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nonnegative residue of w? modulo n. Show that Vince can factor n once Paula sends back 
the square root of z that she computes. 


Computations and Explorations 


1. Give one of your classmates the integer n, where n = pq and p and q are primes with more 
than 50 decimal digits, both congruent to 3 modulo 4. Convince your classmate that you know 
both p and g using a zero-knowledge proof. 


2. Convince one of your classmates that you know a secret in the form of a sequence of 10 
positive integers each less than 10,000, using the zero-knowledge proof described in the text. 


Programming Projects 


1. Given n, the product of two distinct primes both congruent to 3 modulo 4, and the least 
positive residue of x*+ modulo n, where x is an integer relatively prime to n, find the least 
positive residue of x” modulo n. 


19. Decimal Fractions and 


12.1 


Continued Fractions 


| n this chapter, we will discuss the representation of rational and irrational numbers as 
decimal fractions and continued fractions. We will show that every rational number 
can be expressed as a terminating or periodic decimal fraction, and provide some results 
that tell us the length of the period of the decimal fraction of a rational number. We 
will also construct irrational numbers using decimal fractions, and show how decimal 
fractions can be used to express a transcendental number and to demonstrate that the set 
of real numbers is uncountable. 


Continued fractions provide a useful way of expressing numbers. We will show 
that every rational number has a finite continued fraction, that every irrational number 
has an infinite continued fraction, and that continued fractions are the best rational 
approximations to numbers. We will establish a key result that will tell us that the set of 
quadratic irrationals can be characterized as the set of numbers with periodic continued 
fractions. Finally, we will show how continued fractions can be used to help factor 
integers. 


Decimal Fractions 


In this section, we discuss the representation of rational and irrational numbers as decimal 
fractions. We first consider base b expansions of real numbers, where b is a positive 
integer, b > 1. Let a be a positive real number, and let a = [a] be the integer part of a, so 
that y = a — [a] is the fractional part of a anda =a + y withO < y < 1. By Theorem 
2.1, the integer a has a unique base b expansion. We now show that the fractional part 
y also has a unique base b expansion. 


Theorem 12.1. Let y be areal number with 0 < y < 1, and let b be a positive integer, 
b > 1. Then y can be uniquely written as 


Sas . 
es >> ¢;/b), 
j=l 


where the coefficients c; are integers with 0<c FS ie 1 for j = 1, 2,..., with the 
restriction that for every positive integer N there is an integer n with n > N andc, #4 


b-1. 


In the proof of Theorem 12.1, we deal with infinite series. We will use the following 
formula for the sum of the terms of an infinite geometric series. 
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Theorem 12.2. Leta andr be real numbers with |r| < 1. Then 


(oe) 


>: ari = a/(l—-r). 


j=0 


Most books on calculus or mathematical analysis contain a proof of Theorem 12.2 (see 
[Ru64], for instance). 


We can now prove Theorem 12.1. 
Proof. We first let 
c; = [by], 
so that O < c; < b — 1, because 0 < by < D. In addition, let 
v1 = by — c,= by — [by], 
so that 0 < y, < land 


1 VA 
x b b 
We recursively define c, and y,, fork = 2, 3,..., by 
cy = [by_1] 
and 
Ve = bYy_1 — CK 
so that 0 < c, < b — 1, because 0 < by,_, < b and 0 <  < 1. Then, it follows that 
a Cn 1 Yn 
ian ae en ae 


Because 0 < y, < 1, we see that 0 < y,,/b” < 1/b”. Consequently, 
lim y,/b” = 0. 
n—->oo 
Therefore, we can conclude that 


Sim (Se eens 
y= jim (2+ 2+ +i) 


2 A 
=) c;/b!. 
j=l 
To show that this expansion is unique, assume that 
[o,@) [o,@) 
y=) ej/b! =) 1 d,/b’, 
j=l j=l 


where 0 <c; <b—1and0<d; <b — 1 and, for every positive integer N, there are 
integers n and m with c, #4 b — 1 and d,, # b — 1. Assume that k is the smallest index 
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for which c,; # d;, and assume that c, > d; (the case c, < d; is handled by switching the 
roles of the two expansions). Then 


0=)\(c; —d;)/b! = (qj — dy) /b*§ + Y~ dj -c,)/b!, 


j=l j=k+1 


so that 


(12.1) (cx — &)/b* = D> (dj —c;)/b!. 
j=k+1 


Because c, > d;, we have 


(12.2) (cy — dy) /b* = 1/b*, 
whereas 
(12.3) YG -¢)/bi s > b-D/bi 
j=k+1 jok+1 
1/bk+! 
=(b-1 
aes i 1/b 
= 1/b*, 


where we have used Theorem 12.2 to evaluate the sum on the right-hand side of the 
inequality. Note that equality holds in (12.3) if and only ifd; —c; =b — 1 forall j with 
j =k +1, and this occurs if and only if dj = b — landc; =0 for j > k + 1. However, 
such an instance is excluded by the hypotheses of the theorem. Hence, the inequality in 
(12.3) is strict, and therefore (12.2) and (12.3) contradict (12.1). This shows that the base 
b expansion of a is unique. 7 


The unique expansion of a real number in the form pe c;/ b/ is called the base b 
expansion of this number and is denoted by (.c,c9c3. . .)p- 


To find the base b expansion (.c,c7c3...), of a real number y, we can use the 
recursive formula for the digits given in the proof of Theorem 12.1, namely, 


Cy = [b¥p-1], Ve = BYR_—1 — [DY _11; 


where yo = y, for k = 1, 2, 3, .. . . (Note that there is also an explicit formula for these 
digits—see Exercise 21.) 


Example 12.1. Let (.c;c2c3 . . .), be the base 8 expansion of 1/6. Then 
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1 1 1 
= |8-—|=1, =8--—-1l=-, 
pi ers ea ee 
1 1 2 
=|8-—|=2, =8-—-2=-, 
a hae ie 3 
2 2 1 
=]/8--|=5S, =§8-—-5=-, 
C3 [ ql ¥3 3 3 
1 1 2 
— R= — =8-.—--2=-, 
plac Bag 3 
pi) 2 1 
=]/8--—|=S, =§8-—-5=-, 
= [8-5] ai 8 3 
and so on. We see that the expansion repeats; hence, 
1/6 = (.1252525.. .)g. < 


We will now discuss base b expansions of rational numbers. We will show that a 
number is rational if and only if its base b expansion is periodic or terminates. 


Definition. A base b expansion (.c,c C3 . . .), is said to terminate if there is a positive 
integer n such that c, = Cy41 =Cy42 =+-: =0. 


Example 12.2. The decimal expansion of 1/8, (.125000 . . .);9 = (.125) 19, terminates. 
Also, the base 6 expansion of 4/9, (.24000 . . .)g = (.24)¢, terminates. < 


To describe those real numbers with terminating base b expansion, we prove the 
following theorem. 


Theorem 12.3. The real number a, 0 < a < 1, has a terminating base b expansion if 
and only if @ is rational and can be written asa = r/s, where 0 <7 <s and every prime 
factor of s also divides b. 


Proof. First, suppose that a has a terminating base b expansion, 


a= (.c4C> Sate Cn) b- 


Then 
Ch ig sD Cn 
Ge a es ae 
bb b" 
bt t+ cob"? +--+ + ep 
ee 
so that @ is rational, and can be written with a denominator divisible only by primes 
dividing b. 


Conversely, suppose that 0 < a < 1, and 


a=r/s, 
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where each prime dividing s also divides b. Hence, there is a power of b, say, b’, that 
is divisible by s (for instance, take N to be the largest exponent in the prime-power 
factorization of s). Then 


bNa = br/s =ar, 


where sa = b, and a is a positive integer because s|b% . Now let (€mQm_1 - . - 4140) be 
the base b expansion of ar. Then 


An b™ + Om —\b™—! i ayb +a 
pN 
=a bm-N + a jbe 4 hab * +ayb 


a= ar/b™ = 


= (.00 + -AnAn—-1--- a1Ao)p- 
Hence, @ has a terminating base b expansion. 7 


Note that every terminating base b expansion can be written as a nonterminat- 
ing base b expansion with a tail-end consisting entirely of the digit b — 1, because 
(.C1C2 --- Cm)p = (C1C2--- Cn — 1 b-1 b-1...)y. For instance, (.12))9 = 
(.11999 .. .)19. This is why we require in Theorem 12.1 that for every integer N there is 
an integer n such thatn > N and c, # b — 1; without this restriction, base b expansions 
would not be unique. 


A base b expansion that does not terminate may be periodic, for instance, 
1/3 = (.333 .. .)40, 
1/6 = (.1666 .. .)10, 


and 


1/7 = (.142857142857142857 . . .)10. 


Definition. A base b expansion (.c,c2c3. . .), is called periodic if there are positive 
integers N and k such that c,,, =c, forn > N. 


We denote by (.cycz...cy_1€y ---Cnik—vp the periodic base b expansion 
(.c1Cq... Cy_jCy ---Cy4p_10N ---CN+k_1€N - - -)p- For instance, we have 
1/3 = (.3)19), 
1/6 = (.16)10, 
and 
1/7 = (.142857) 10. 


Note that the periodic parts of the decimal expansions of 1/3 and 1/7 begin imme- 
diately, whereas in the decimal expansion of 1/6 the digit 1 precedes the periodic part 
of the expansion. We call the part of a periodic base b expansion preceding the periodic 
part the pre-period, and the periodic part the period, where we take the period to have 
minimal possible length. 
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Example 12.3. The base 3 expansion of 2/45 is (.001012)3. The pre-period is (00)3 
and the period is (1012)3. 


The next theorem tells us that the rational numbers are those real numbers with 
periodic or terminating base b expansions. Moreover, the theorem gives the lengths of 
the pre-period and period of the base b expansion of a rational number. 


Theorem 12.4. Let b bea positive integer. Then a periodic base b expansion represents 
arawonal number. Conversely, the base b expansion of a rational number either terminates 
or is periodic. Further, if 0 < a < 1,a@ =~r/s, wherer and s are relatively prime positive 
integers, and s = TU, where every prime factor of T divides b and (U, b) = 1, then the 
period length of the base b expansion of a is ord,yb, and the pre-period length is N, 
where N is the smallest positive integer such that T |b’. 


Proof. First, suppose that the base b expansion of @ is periodic, so that 


@ = (.C1C).-- CNCN41-+ > CN +K)B 


bk c Cc 
a1 24 We ) (Gat me) 


where we have used Theorem 12.2 to see that 
CO 


ee ap 2 
fe a ee 
‘a0 b 1 3 b 1 
Because a is the sum of rational numbers, it is rational. 


Conversely, suppose that 0 < a < 1, a=r/s, where r and s are relatively prime 
positive integers, s = TU, where every prime factor of T divides b, (U, b) = 1, and N 
is the smallest integer such that T |b’. 


Because T|b”, we have aT = b%,, where a isa positive integer. Hence, 


(12.4) bNa =pNS 
TU U 
Furthermore, we can write 
(12.5) Ala 
U U 


where A and C are integers with 
0<A<b’, 0<C<U, 


and (C, U) = 1. (The inequality for A follows because 0 < bNa = 7 < bN, which 
results from the inequality 0 < a < 1 when both sides are multiplied by b .) The fact 
that (C, U) = 1 follows easily from the condition (7, s) = 1. By Theorem 12.1, A has a 
base b expansion A = (4,4,_1- - - 4)49)p- 
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If U = 1, then the base b expansion of a terminates as shown. Otherwise, let 
v = ord,b. Then 


(12.6) pe 2 ee ee. 
U U U 


where ¢ is an integer, because b” = 1 (mod U). However, we also have 


C Cj C2 Cc Y 
Ue v — — eee ze U Ag 
(12.7) b= (2+24 + fey 2), 


where (.c;C2C3 . . .), is the base b expansion of C so that 
Cy = [bYp—1), Ve = OYR-1 — [bY -11, 


where Vp = Cc, for k = 1, 2, 3,.... From (12.7), we see that 


(12.8) PE = (0p? + ob” 24-04) + ry 


Equating the fractional parts of (12.6) and (12.8), noting that 0 < y, < 1, we find that 


Consequently, we see that 


Cc 
Y= %= U’ 

so that from the recursive definition of c,, cy, ..., we can conclude that c,,, = c;, for 
k=1,2,3,.... Hence, c has a periodic base b expansion 

Cc ——————— 

[ = (.CjCq .. . Cy)p- 
Combining (12.4) and (10.5), and insertung the base b expansions of A and © we have 
(12.9) BN ot = (GyGp_1 « «4g C1Cp .- - Cy)p- 
Dividing both sides of (12.9) by b”, we obtain 

a = (.00...a,G,_ 1... AyAgCyCn .. . Cy)p, 


(where we have shifted the decimal point in the base b expansion of b’a N spaces to 
the left to obtain the base b expansion of a). In this base b expansion of a, the pre-period 
(.00 ...a,a,_1...€ Aq), is of length N, beginning with N — (n + 1) zeros, and the 
period length is v. 

We have shown that there is a base b expansion of a with a pre-period of length NV 


and a period of length v. To finish the proof, we must show that we cannot regroup the 
base b expansion of a, so that either the pre-period has length less than N or the period 
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has length less than v. To do this, suppose that 
a= (.c1C -+-CyCy4i:-- Cu+k)b 


_ 1, & CM bk Cu+1 CM+k 
aH 4 B44 Ht (SO) (Fut +--+ use) 


_ (671 + cb M7? ++ + cf =D) + Cnt ++ + mse) 
7 bM (bk — 1) 


Because a =r/s, with (r, s) = 1, we see that s|b” (b* — 1). Consequently, T|b” and 
U|(b* — 1). Hence, M > N, and v|k (by Theorem 9.1, because b* = 1 (mod U) and 
v = ord,b). Therefore, the pre-period length cannot be less than WN and the period length 
cannot be less than v. = 


We can use Theorem 12.4 to determine the lengths of the pre-period and period of 
decimal expansions. Leta =r/s,0 <a < 1, and s = 2°!5°2t, where (t, 10) = 1. Then, by 
Theorem 12.4, the pre-period has length max(s,, s2) and the period has length ord, 10. 


Example 12.4. Let a = 5/28. Because 28 = 2? - 7, Theorem 12.4 tells us that the pre- 
period has length two and the period has length ord710 = 6. As 5/28 = (.17857142), we 
see that these lengths are correct. < 


Note that the pre-period and period lengths of a rational number r/s, in lowest terms, 
depend only on the denominator s, and not on the numerator r. 


We observe that by Theorem 12.4 a base b expansion that is not terminating and is 
not periodic represents an irrational number. 


Example 12.5. The number with decimal expansion 
a = .10100100010000..., 


consisting of a one followed by a zero, a one followed by two zeros, a one followed by 
three zeroes, and so on, is irrational because this decimal expansion does not terminate 
and is not periodic. < 


The number a in the preceding example is concocted so that its decimal expansion 
is clearly not periodic. To show that naturally occurring numbers such as e and zw are 
irrational, we cannot use Theorem 12.4, because we do not have explicit formulas for the 
decimal digits of these numbers. No matter how many decimal digits of their expansions 
we compute, we still cannot conclude that they are irrational from this evidence, because 
the period could be longer than the number of digits that we have computed. 


Transcendental Numbers 


The French mathematician Liouville was the first person to show that a particular number 
is wanscendental. (Recall from Section 1.1 that a transcendental number is one that is not 
the root of a polynomial with integer coefficients.) The number that Liouville showed is 
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transcendental is the number 


[o,@) 
a= > = = 0.11000100000000000000000100 .... 
pape 


This number has a one in the n!th place for each positive integer n and a zero elsewhere. 
To show that this number is transcendental, Liouville proved the following theorem, 
which shows that algebraic numbers cannot be approximated very well by rational 
numbers. In particular, this theorem provides a lower bound for how well an algebraic 
number of degree n can be approximated by rational numbers. Note that an algebraic 
number of degree n is areal number that is a root of a polynomial of degree n with integer 
coefficients which is not a root of any polynomial with integer coefficients of degree less 
than!n. 


Theorem 12.5. If qa is an algebraic number of degree n, where n is a positive integer 
greater than 1, then there exists a positive real number C such that 


ane > C/q” 
q 


for every rational number p/q, where g > 0. 


Because the proof of Theorem 12.5, although not difficult, relies on calculus, we 
will not supply it here. We refer the reader to [HaWr08] for a proof. We will be content 
to use this theorem to show that Liouville’s number is transcendental. 


Corollary 12.5.1. The number a = )~°°, 1/10! is transcendental. 


Proof. First, note thata is not rational, because its decimal expansion does not terminate 
and is not periodic. To see that it is not periodic, note that there are increasingly larger 
numbers of zeros between successive ones in the expansion. 


Let p;/q, denote the sum of the first k terms in the sum defining a. Note that 
k= 10*!. Because 10!! > 104+)" whenever i > k + 1, we have 


Because 
See 
isa 1O&+D! — 196+)!’ 
it follows that 


It therefore follows that a cannot be algebraic, for if it were algebraic of degree n, then 
by Theorem 12.5 there would be a positive real number C such that |a — p,/qx| > C/q,.- 
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This is not the case, because we have seen that |a — p,/q;| < art, and taking k to 
be sufficiently larger than n produces a contradiction. = 


The notion of the decimal expansion of real numbers can be used to show that the 
set of real numbers is not countable. A countable set is one that can be put into a one- 
to-one correspondence with the set of positive integers. Equivalently, the elements of a 
countable set can be listed as the terms of a sequence. The element corresponding to the 
integer 1 is listed first, the element corresponding to the integer 2 is listed second, and 
so on. We will give the proof found by German mathematician Georg Cantor. 


Theorem 12.6. The set of real numbers is an uncountable set. 


Proof. We assume that the set of real numbers is countable. Then the subset of all real 
numbers between 0 and 1 would also be countable, as a subset of a countable set is also 
countable (as the reader should verify). With this assumption, the set of real numbers 
between O and 1 can be listed as terms of a sequence 7), r2, r3, .. .. Suppose that the 
decimal expansions of these real numbers are 


ry = 0.dy1dypdygdya - 
Tq, = 0.dy\do2dy4d24 . . . 
r3 = 0.ds,dspd3qdz4... 
r4 = O.dadiodaadaa.. 


and so on. Now form a new real number r with the decimal expansion 0.d)d,d3d, ..., 
where the decimal digits are determined by d; = 4 if d;; 4 4 and d; = Sif d;; = 4. 


Cantor is considered the founder of set theory; he is also noted for bis contributions to mathe- 
matical analysis. Many mathematicians had extremely high regard for Cantor’s work, such as Hilbert, 
who said that it was “the finest product of mathematical genius and one of the supreme achievements 
of purely intellectual human activity.” Besides mathematics, Cantor was interested in philosophy, and 
he wrote papers connecting his theory of sets and metaphysics. 

Cantor was married in 1874 and had five children. He had a melancholy temperament that was 
balanced by his wife’s happy disposition. He received a large inheritance from bis father, but since 
he was poorly paid as a professor at Halle, he applied for a better-paying position at the University of 
Berlin. His appointment there was blocked by Kronecker, who did not agree with Cantor’s views on 
set theory. Uafortunately, Cantor suffered from mental illness throughout the later years of his life; 
he died of a heart ateack in 1918 in a psychiatric clinic. 


GEORG CANTOR (1845-1918) was born in St. Petersburg, Russia, where 
his father was a successfu] merchant. When he was 11, bis family moved to 
Germany to escape the harsh weather of Russia. Cantor developed his interest 
in mathematics while in German high schools. He attended university at Zurich 
and later at the University of Berlin, studying under the famous mathematicians 
Kummer, Weierstrass, and Kronecker. He received his doctorate in 1867 for 
work in number theory. Cantor took a position at the University of Halle in 
1869, a position that he held until he retired in 1913. 


12.1 


12.1 Decimal Fractions 479 


Because every real number has a unique decimal expansion (when the possibility 
that the expansion has a tail end that consists entirely of 9s is excluded), the real number 
r that we constructed is between 0 and 1 and is not equal to any of the real numbers 
11, 72,73, ---, because the decimal is a real number 7 between 0 and 1 not in the list, 
the assumption that all real numbers between 0 and 1 could be listed is false. It follows 
that the set of real numbers between 0 and 1, and hence the set of all real numbers, is 
uncountable. r 


EXERCISES 


. Find the decimal expansion of each of the following numbers. 


a) 2/5 b) 5/12 c) 12/13 d) 8/15 e) 1/111 f) 1/1001 


. Find the base 8 expansions of each of the following numbers. 


a) 1/3 b) 1/44 c) 1/5 d) 1/6 e) 1/12 f) 1/22 


. Find the fraction, in lowest terms, represented by each of the following expansions. 


a) .12 b) .12 c) .12 


. Find the fraction, in lowest terms, represented by each of the following expansions. 


a) (.123), b) (.013)g ©) (1M) d) (ABC) i¢ 


5. For which positive integers b does the base b expansion of 11/210 terminate? 


6. Find the pre-period and period lengths of the decimal expansion of each of the following 


10. 


11. 


12. 


13. 


rational numbers. 
a) 7/12 b) 11/30 c) 1/75 d) 10/23 e) 13/56 f) 1/61 


. Find the pre-period and period lengths of the base 12 expansions of each of the following 


rational numbers. 
a) 1/4 b) 1/8 c) 7/10 d) 5/24 e) 17/132 f) 7/360 


. Let b be a positive integer. Show that the period length of the base b expansion of 1/m is 


m — 1if and only if m is prime and b is a primitive root of m. 


. For which primes p does the decimal expansion of 1/p have period length equal to each of 


the following integers? 


a) 1 b) 2 c)3 d) 4 e) 5 f) 6 
Find the base b expansion of each of the following numbers. 
a) 1/(b — 1) b) 1/6 +) 


Let b be an integer with b > 2. Show that the base b expansion of 1/(b— 1)? is 
(.0123...b—3b — 1). 


Show that the real number with base b expansion 
(.0123...b—1101112...),, 


constructed by successively listing the base b expansions of the integers, is irrational. 
Show that 
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19. 
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21. 


22. 
23. 


24. 


25. 
26. 
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1 1 1 1 1 
be pe pe ps 


is irrational, whenever b is a positive integer greater than 1. 


Let by, bo, b3, . . . be an infinite sequence of positive integers greater than 1. Show that every 
real number can be represented as 
C1 C2 C3 
Che = 
"by Biba” bybabs 
where Co, Cj, C2, C3, ... are integers such that 0 < c, < k fork = 1, 2, 3,.... 
Show that every real number has an expansion 
a 
OV GR? oi an , 
where Cp, Cj, C2, C3, .. . are integers and 0 < c, <k fork =1, 2,3,.... 


Show that every rational number has a terminating expansion of the type described in Exercise 
15. 


Suppose that p is a prime and the base b expansion of 1/p is (.cycp . . .Cp_1)p, SO that the 
period length of the base b expansion of 1/p is p — 1. Show that if m is a positive integer 
with 1 < m < p, then 


m/p = (.Chy1- + + Cp—1012 « - - Ch_1Cq) b> 
where k is the least positive residue of ind,m modulo p. 
Show that if p is prime and 1/p = (.c,cz ... cx), has an even period length, k = 2¢, then 
cj +cj4,=b—1forj=1,2,...,¢. 
For which positive integers n is the length of the period of the binary expansion of 1/n equal 
ton — 1? 
For which positive integers n is the length of the period of the decimal expansion of 1/n equal 
ton — 1? 
Suppose that b is a positive integer. Show that the coefficients in the base b expansion of the 
real number y = viel c;/b/ with 0 < y < Lare given by the formula c ; = [yb/] — blybi-}] 
for j = 1, 2,.... (Hint: First, show that 0 < [yb/]— b[yb/—"] < b — 1. Then, show that 
~ ((yb/] — blybi")/bi = y — (ybN [ybN]/b¥) and let N > 00.) 
Use the formula in Exercise 21 to find the base 14 expansion of 1/6. 
Show that the number ae 1)% /10!' is transcendental for all sequences of positive integers 
Qj, 42,.--- 


Is the set of all real numbers with decimal expansions consisting of only zeros and ones 
countable? 


Show that the number e is irrational. 


Pseudorandom numbers can be generated using the base m expansion of 1/P,, where P is a 
positive integer relatively prime to m. We set x, = Cj 4n, where j, the position of the seed, is 
a positive integer and 1/P = (.c,c2c3...),,- This is called the 1/P generator. Find the first 
ten terms of the pseudorandom sequence generator with each of the following parameters. 


a)m=7, P = 19, and j =6 b)m = 8, P = 21, and j =5 
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Computations and Explorations 


1. 


Find the pre-period and period of the decimal expansions of 212/31597, 1053/4437189, and 
81327/16666699. 


. Find as many positive integers n as you can such that the length of the period of the decimal 


expansion of 1/n isn — 1. 


. Find the first 10,000 terms of the decimal expansion of z. Can you find any patterns? Make 


some conjectures about this expansion. 


. Find the first 10,000 terms of the decimal expansion of e. Can you find any patterns? Make 


some conjectures about this expansion. 


Programming Projects 


1. 


Find the base b expansion of a rational number, where b is a positive integer. 


2. Find the numerator and denominator of a rational number in lowest terms from its base b 


expansion. 


3. Find the pre-period and period lengths of the base b expansion of a rational number, where 


b is a positive integer. 


4. Generate pseudorandom numbers using the 1/P generator (introduced in Exercise 26) with 


modulus m and seed in position j, where P and m are relatively prime positive integers 
greater than 1 and j is a positive integer. 


Finite Continued Fractions 


The remainder of this chapter deals with continued fractions. In particular, in this section 
we define finite continued fractions. We will show that every rational number can be 
written as a finite continued fraction. Later sections will discuss infinite continued 
fractions. 


Using the Euclidean algorithm, we can express rational numbers as continued 
fractions. For instance, the Euclidean algorithm produces the following sequence of 
equations: 


62 =2-23+ 16 
23=1-16+7 
16=2-7+2 
JH3: 24-1 


When we divide both sides of each equation by the divisor of that equation, we obtain 
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1 1 
agp leg 


3 23 «(23/16 
23 7 1 
aa pe een, | Nema 
ie. 1G. tee 
16_, ee, eet 

7 ‘1 7/2 

7 1 

22345. 

2 2 


By combining these equations, we find that 


65, _! 
23 °—s«23/16 
ee 
1+ — 
16/7 
=2+ : ; 
1+ 
eee 
Tf 
=o : i 
1+ 
1 
2+ — 
as 
2 


The final expression in this string of equations is a continued fraction expansion of 62/23. 


We now define continued fractions. 


Definition. A finite continued fraction is an expression of the form 


1 
a 
2 1 
ay 
ay +. 
: " 1 
1 3 
Qan-1 Tee 

an 
where dg, @1, a2, ..., @, are real numbers with aj, a, a3,..., a, positive. The real 
numbers a1, az, ..., a, are called the partial quotients of the continued fraction. The 
continued fraction is called simple if the real numbers dp, aj, ... , ad, are all integers. 


Because it is cumbersome to fully write out continued fractions, we use the nota- 
tion [dp; a), a2, .. . , d,] to represent the continued fraction in the definition of a finite 
continued fraction. 
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We will now show that every finite simple continued fraction represents a rational 
number. Later we will demonstrate that every rational number can be expressed as a finite 
simple continued fraction. 


Theorem 12.7. Every finite simple continued fraction represents a rational number. 
Proof. We will prove the theorem using mathematical induction. For n = 1, we have 


1 aga, + ] 
[ag; a1] = ag + — = ———__,, 
aj a 
which is rational. Now, we assume that for the positive integer k the simple contin- 
ued fraction [ag; a), a2, ..., ay] is rational whenever dp, a), ..., a, are integers with 
Qj,..., Ay positive. Let ap, aj, ..., Ay,4 1 be integers with a), ..., a,x, 1 positive. Note 
that 


1 


[ap; 4, .-- , A414] = a9 + ——_——_—___ 
[a13 7, ..-, Ay, Ap44] 


By the induction hypothesis, [a); a2, .. . , @g, Ax] is rational; hence, there are integers 
r and s, with s 4 0, such that this continued fraction equals r/s. Then 


1 aor +s 
[a9; a, ose Ak, 41] = a +— = ——_, 


r/s r 


which is again a rational number. 7 


We now show, using the Euclidean algorithm, that every rational number can be 
written as a finite simple continued fraction. 


Theorem 12.8. Every rational number can be expressed by a finite simple continued 
fraction. 


Proof. Letx = a/b, where a and b are integers with b > 0. Let rp = a andr, = b. Then, 
the Euclidean algorithm produces the following sequence of equations: 


TO= NGM +p 0<N <r, 
Ny =Mqa +73 0<73<7r, 
ro =7393 +14 0<1ry <7, 
Tn—3 =Tn-29n-2 tPn-1 OV <Tn-1 <Tn-2, 
Tn-2 ='n-19n-1 T Tn O <_< Tp-1 
ln—1 =lnAn- 
In these equations, q2, q3,-.-, Q, are positive integers. Writing these equations in 


fractional form, we have 
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a To io) 1 
SS HqtrraHaaut 
bor ry r/T2 
ry r3 
-—=Qt-—=Qt 
ro ro r2/T3 
Li) 4 
= =93t+—-—=93T 
r3 r3 r3/T4 
'n-3 Yn-1 
=4n-2 1 = Qn-2 + 
a) Tn-2 Tn-2/Tn-1 
'n-2 ln 
= Qn-1 + —— = 4-1 + 
Tn-1 Tn-1 Tn-1/Tn 
'n-1 
Tn i 


Substituting the value of r;/r2 from the second equation into the first equation, we obtain 


1 
(12.10) 5 ge 


r2/T3 
Similarly, substituting the value of r2/r3 from the third equation into (12.10), we obtain 


ee oe 
p 1! 1 : 


Continuing in this manner, we find that 


a + 1 
p 2 1 


. 1 
+ GQn-1 + a 


n 


Hence, ¢ = (91; 92, .- + » Qn]. This shows that every rational number can be written as a 
finite simple continued fraction. 7 


We note that continued fractions for rational numbers are not unique. From the 
identity 
1 
a, = (a, — D+ =; 
1 
we see that 
[493 41, Ao, .-- 5 An—1, An] = [g; Ay, G2, ---, Gn_1, 4, — 1, 1) 


whenever a, > 1. 
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Example 12.6. We have 


a = [0; 1, 1, 1, 3] = [0; 1, 1, 1, 2, 1]. < 


In fact, it can be shown that every rational number can be written as a finite simple 
continued fraction in exactly two ways, one with an odd number of terms, the other with 
an even number (see Exercise 12 at the end of this section). 


Next, we will discuss the numbers obtained from a finite continued fraction by 
cutting off the expression at various stages. 


Definition. The continued fraction [dp; a), ay, ... , ay], where k is a nonnegative in- 
teger less than or equal to n, is called the kth convergent of the continued fraction 
[a3 aj, 22, ..., ,]. The kth convergent is denoted by C,. 


In our subsequent work, we will need some properties of the convergents of a 
continued fraction. We now develop these properties, starting with a formula for the 
convergents. 


Theorem 12.9. Let dp, a), a2, ... , a, be real numbers, with aj, a, ..., a, positive. 
Let the sequences po, P1,---; Pn and go, 41, ---; Yn be defined recursively by 

Po = qo=1 

Py=4q,+1 q=aq 
and 


Pr = %Pe-1 + Pr—2 Wk = UIk-1 + Wk-2 
for k = 2, 3, ...,n. Then the kth convergent C, = [ap; a), ... , ax] is given by 
Cy = Px/Qk- 


Proof. Wewill prove this theorem using mathematical induction. We first find the three 
initial convergents. They are 


Co = [ao] = 40/1= Po/40; 


1 aja; + 1 
C, = [aya] = agp + — = MS = 


| ay rT 
1 ay(ajag + 1) +a 
Gai traisa = ee 
Ot a aja,+1 q2 


Hence, the theorem is valid for k = 0, k = 1, and k = 2. 

Now assume that the theorem is true for the positive integer k, where 2 <k <n. 
This means that 
Pk _ %Pk—-1¥ Pr-2 
ke Ik-1 + k-2 
Because of the way in which the p,’s and q,’s are defined, we see that the real num- 
bers py_1, Pk—2 Yk—1, and g,_2 depend only on the partial quotients ag, ay, ... , Q¢_}- 


(12.11) Cy = [ag ay, ..., Ax] = 
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Consequently, we can replace the real number a; by a, + 1/az4, in (12.11), to obtain 


e e 1 
Cri = [a3 a1, anaes ax +1] =|453@1, -.-, Qp_1, ay + —— 
Ak+1 


(a, + <1 ) Pr-1 + Pk-2 


Qn+1 


(a, an =) Qk-1 + 9k-2 


Qk+1 


— %+1(GePk-1 + Pr-2) + Pr-1 
Ox (AnGK—1 + 9x2) + Vk-1 
_ +1Pk TF Pk-1 
419k + Wk-1 
— Pk+i 
9k+1 


This finishes the proof by induction. 7 


We will illustrate how to use Theorem 12.9 with the following example. 


Example 12.7. We have 173/55 = [3; 6, 1, 7]. We compute the sequences p j and q F 
for j = 0, 1, 2, 3, by 


Po =3 qo=1 
Pi =3-6+1=19 q=6 
Pz =1-19+3=22 gg =1-64+1=7 


p3=7-22+19=173 q3=7-7+6=55. 
Hence, the convergents of the above continued fraction are 
Co = Po/4o = 3/1 =3 
Ci = pi/qi = 19/6 


Cy = P2/q2 = 22/7 
C3 = p3/93 = 173/55. < 


We now state and prove another important property of the convergents of a continued 
fraction. 


Theorem 12.10. Let C, = p,/q, be the kth convergent of the continued fraction 
[ag; 4), ..., a,], where k is a positive integer, 1 < k <n. If p;, are as defined in Theorem 
12.9, then 


PrQk—1 — Pe-19e = (1. 


Proof. We use mathematical induction to prove the theorem. For k = 1, we have 


P190 — Pod = (aa, + 1) -1-— aga, = 1. 
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Assume that the theorem is true for an integer k, where 1 < k <n, so that 


PeQk—1 — Pr-19k = (- 1)". 
Then we have 
PR iGk — PrIke+1 = (Ge41PR + PR-%k — PRCA II + Ik-1) 
= Pride — Peder = —(- DFT = (DF, 
so that the theorem is true for k + 1. This finishes the proof by induction. rT 


We illustrate this theorem with the example that we used to illustrate Theorem 12.9. 


Example 12.8. For the continued fraction [3; 6, 1, 7], we have 
Pod — P1990 = 3:6-—19-1=-1 
P192 — P29, = 19-7—22-6=1 
P2493 - P3q2 = 22 -55-—173-7=-1. 


As aconsequence of Theorem 12.10, we see that fork = 1, 2, ..., the convergents p;/q, 
of a simple continued fraction are in lowest terms. Corollary 12.10.1 demonstrates this. 
< 


Corollary 12.10.1. Let C, = p;,/q, be the kth convergent of the simple continued 
fraction [ag; a), ... , a,,], where the integers p, and q; are as defined in Theorem 12.9. 
Then the integers p; and q; are relatively prime. 


Proof. Let d= (px, 9). By Theorem 12.10, we know that 
PRIK—1 — MW Pk-1 = (—- 1)". 
Hence, 
d\(—1)*1. 
Therefore, d = 1. = 


We also have the following useful corollary of Theorem 12.10. 


Corollary 12.10.2. Let C, = p;,/q, be the kth convergent of the simple continued 
fraction [d; a), a2, ..., a,]. Then 


(— 1)*-1 
Cy — Gey = 
Fk@k-1 
for all integers k with 1 < k <n. Also, 
a,(—1)* 
C365 = 
FkAk—2 


for all integers k with 2 <k <n. 
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Proof. Subtracting fractions and applying Theorem 12.10 tells us that 


Pe — Pk-1 _ PROR-1— Pe-19k _ (—1)} 
Cy — Cy = PE - Sh = PE 
9k Ak-1 9kIk-1 WkIk-1 
giving us the first identity of the corollary. 
To obtain the second identity, note that 
Pk — Pk—2 _ PkOk—2 — Pk-29k 
Cc. -Q_2=-— - = oO 
Wk = Vk-2 WkIVk-2 


Because py = 4, py, + Pg—p and gy = ayqy_1 + Qz_2, we see that the numerator of the 
fraction on the right is 


PrIR-2 — Pr—29k = (4 PR—-1 + Pr-2)9k—2 — Pk-2(4e9k-1 + WM-2) 

= Ay (PR—-19k-2 — Pk—-29k-1) 
=a,(-1)*?, 

using Theorem 12.10 to see that py_1qx—2 — Pr_29x—1 = (-))*?. 

Therefore, we find that 

a,(—1)* 

WIk-2 

This is the second identity of the corollary. 7 


C, — Cy_2= 


Using Corollary 12.10.2, we can prove the following theorem, which is useful when 
developing infinite continued fractions. 


Theorem 12.11. Let C, be the kth convergent of the finite simple continued fraction 


[a9; 41, 4), ...,a,]. Then 
Cy >C3>Cs5>---, 
Co < C2 <Cy<-:--, 
and every odd-numbered convergent C, (i Os ose 84 is greater than every even- 


numbered convergent C, pe J HONG 2, 


Proof. Because Corollary 12.10.2 tells us that, fork = 2, 3,...,n, 


a,(—Dé 
Cy = Cr_-2 = ae 
FWkUk-2 
we lenow that 
Ck < Ch_2 


when k is odd, and 


Ck > Cy_2 
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when k is even. Hence, 

Ci >C3>Cs5>--- 
and 

Co < Cy < Cy<:::. 


To show that every odd-numbered convergent is greater than every even-numbered 
convergent, note that from Corollary 12.10.2, we have 


so that Cy__1 > Co_- To compare C2, and C4 ;_1, we see that 


Co j-1 > Coj+oe—1 > Cojsoxn > Cre: 
so that every odd-numbered convergent is greater than every even-numbered convergent. 


Example 12.9. Consider the finite simple continued fraction [2;3, 1, 1, 2, 4]. Then the 
convergents are 


Cj= 7/3 =2.3333... 
C,= 9/4=2.25 


Ca=. 16/7=2.2857 .. 
Cy= 41/18 =2.2777... 
Cs = 180/79 = 2.2784.... 
We see that 
Cp =2 <Cp $2.25. =< Cg 222777 es 
< Cy = 2.2184 25. < Cy = 2.2857 6. oe Cy 2.33336 c0% < 


EXERCISES 


. Find the rational number, expressed in lowest terms, represented by each of the following 


simple continued fractions. 
a) [2; 7] c) [0; 5, 6] e) (1; 1] g) (131, 1, 1] 
b) [1; 2, 3] d) [3; 7, 15, 1] f) (1; 1, 1] h) [1; 1, 1, 1, 1] 


. Find the rational number, expressed in lowest terms, represented by each of the following 


simple continued fractions. 
a) [10; 3] c) [0; 1, 2, 3] e) [2;1,2,1,1,4]  g) [1;2, 1, 2, 1] 
b) [3; 2, 1] d) [2; 1, 2, 1] f) (1; 2, 1, 2] h) [1;2, 1, 2, 1, 2] 


. Find the simple continued fraction expansion, not terminating with the partial quotient of 1, 


of each of the following rational numbers. 
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a) 18/13 c) 19/9 e) —931/1005 
b) 32/17 d) 310/99 f) 831/8110 


. Find the simple continued fraction expansion, not terminating with the partial quotient of 1, 


of each of the following rational numbers. 
a) 6/5 c) 19/29 e) —943/1001 
b) 22/7 d) 5/999 f) 873/4867 


. Find the convergents of each of the continued fractions found in Exercise 3. 
. Find the convergents of each of the continued fractions found in Exercise 4. 
. Show that the convergents that you found in Exercise 5 satisfy Theorem 12.11. 


. Let f;, denote the kth Fibonacci number. Find the simple continued fraction, terminating with 


the partial quotient of 1, of f,41/f;,, where k is a positive integer. 


. Show that if the simple continued fraction expression of the rational number a, a > 1, is 


[a; @;, ... , ay], then the simple continued fraction expression of 1/a@ is [0; a, ... , ag]. 


. Show that if ag > 0, then 


Px/ Py—1 = [8x3 Ap—1 «+ +» A, Ag] 
and 
Qk/ U1 = [a3 Ay_},..-, A, ay], 


where Cy_; = Px—1/G,—1 and Cy, = px/qy, k = 1, are successive convergents of the continued 
fraction [a9; a), . . . , a, ]. (Hint: Use the relation py, = ay py_, + Py_z to show that p,/p,_; = 
ay, + 1/(DPe—1/ Pk-2)-) 


. Show that gq, > f, fork =1,2,..., where C, = p;,/q, is the kth convergent of the simple 


continued fraction [ap; a;, ..., a@,] and f;, denotes the kth Fibonacci number. 


. Show that every rational number has exactly two finite simple continued fraction expansions. 


. Let [a9; a), az, .. . , a, ] be the simple continued fraction expansion of r/s, where (7, s) = 1 


and r > 1. Show that this continued fraction is symmetric, that is, ag = a,, aj = a,_1, a2 = 
G,_2,-.., if and only if r|(s* + 1) if nis odd and r|(s? — 1) ifn is even. (Hint: Use Exercise 
10 and Theorem 12.10.) 


. Explain how finite continued fractions for rational numbers, with both plus and minus signs 


allowed, can be generated from the division algorithm given in Exercise 18 of Section 1.5. 


Let dp, a1, Az, ..., a, be real numbers with aj, ay, . . . positive, and let x be a positive real 
number. Show that [ag; a1, ..., @] < [ag3a,..., a, + x]if k is odd and [ap; a), ..., a] > 
[a93;@,...,a, +x] if k is even. 

Determine whether n can be expressed as the sum of positive integers a and b, where all the 


partial quotients of the finite simple continued fraction of a/b are either 1 or 2, for each of 
the following integers n. 


a) 13 b) 17 c) 19 d) 23 e) 27 f) 29 


Computations and Explorations 


1. 
2. 


Find the simple continued fractions of 1001/3000, 10,001/30,000, and 100,001/300,000. 


Find the finite continued fractions of x and 2x for 20 different rational numbers. Can you find 
a rule for finding the finite simple continued fraction of 2x from that of x? 
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3. Determine for each integer n, n < 1000, whether there are integers a and b withhn =a+b 


such that the partial quotients of the continued fraction of a/b are all either 1 or 2. Can you 
make any conjectures? 


Programming Projects 


1. Given a rational number, find its simple continued fraction expansion. 
2. Given a finite simple continued fraction, find its convergents and the rational number that this 


continued fraction represents. 


Infinite Continued Fractions 


In this section, we will define infinite continued fractions and show how to represent a 
real number using an infinite continued fraction. We will show how to use the continued 
fraction representation of a real number to produce rational numbers that are excellent 
approximations of this real number. We will also show how to apply continued fractions 
to explain a certain kind of attack on the RSA cryptosystem. In the next section, we will 
study the continued fractions of quadratic irrationalities. 


To begin suppose that we have an infinite sequence of positive integers ag; a1, a>, 
.... How can we define the infinite continued fraction [ap; a), a2, . . .|? To make sense 
of infinite continued fractions, we need a result from mathematical analysis. We state the 
result, and refer the reader to a mathematical analysis text, such as [Ru64], for a proof. 


Theorem 12.12. Let xo, x1, x2, . . . be a sequence of real numbers such that x9 < x; < 
X_ <-+--and x, < U fork =0, 1, 2, ... for some real number U, or xp > x1 > X2 >... 
and x, > L fork = 0, 1, 2, ... for some real number L. Then the terms of the sequence 
Xo, X1, Xo, ... tend to a limit x, that is, there exists a real number x such that 
lim x, =X. 
k—>0oo 


Theorem 12.12 tells us that the terms of an infinite sequence tend to a limit in two 
special situations: when the terms of the sequence are increasing and all are less than an 
upper bound, and when the terms of the sequence are decreasing and all are greater than 
a lower bound. 


We can now define infinite continued fractions as limits of finite continued fractions, 
as the following theorem shows. 


Theorem 12.13. Let do, a), az, . . . be an infinite sequence of integers with a), az, ... 
positive, and let C; = [dp; aj, az, ... , ay]. Then the convergents C;, tend to a limit a, 
that is, 

lim Ck =aQ2. 

ko 


Before proving Theorem 12.13, we note that the limit a described in the statement of 
the theorem is called the value of the infinite simple continued fraction [ag; ay, ap, . . .]. 
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To prove Theorem 12.13, we will show that the infinite sequence of even-numbered 
convergents is increasing and has an upper bound and that the infinite sequence of odd- 
numbered convergents is decreasing and has a lower bound. We then show that the limits 
of these two sequences, guaranteed to exist by Theorem 12.12, are in fact equal. 


Proof. Let m be an even positive integer. By Theorem 12.11, we see that 
Cy >C3>C5>--->Cp_1, 
Co < Cy < Cy <---< Cy, 
and Cy; < C2,,, whenever 27 < m and 2k + 1 < m. By considering all possible values 
of m, we see that 
Cy >C3>C5>--->Con_1 > Conti >--:> 
Co < Cz < Cy < +++ < Cop_2 < Co, <---, 


and Cy; > C2441 for all positive integers j and k. We see that the hypotheses of Theorem 
12.12 are satisfied for each of the two sequences Cy, C3, Cy, ... and Co, Cz, C4, .... 
Hence, the sequence C), C3, Cs, . . . tends to a limit a, and the sequence Cop, Cz, C4, ... 
tends to a limit a, that is, 


lim C. =a 


and 


Jim, Con =e 
Our goal is to show that these two limits a, and @ are equal. Using Corollary 12.10.2, 
we have 
Pont — Pry _ (—)e@rtd! 1 
Con+1 =! Cop, = tt _ Sen = : 
92n+1 92n 92n+192n 92n+192n 


Because q,; > k for all positive integers k (see Exercise 11 of Section 12.2), we know 
that 


1 1 
— < eee 
92n+192n (2n + 1)(2n) 
and, hence, 
1 
Con41 — Con = ——— 
92n+192n 


tends to zero, that is, 
lim (C. —C,,) =0. 
him (Con+1 — Can) 
Hence, the sequences Cj, C3, Cs, ... and Cg, Cy, Cy, . . . have the same limit, because 
lim (C. —C,,)= lim C — lim CG, =0. 
jim 2n+1 on) pees 2n+1 ann Qn 


Therefore, a, = a@, and we conclude that all the convergents tend to the limit a = a, = 
a@,. This finishes the proof of the theorem. 7 
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Previously, we showed that rational numbers have finite simple continued fractions. 
Next, we will show that the value of any infinite simple continued fraction is irrational. 


Theorem 12.14. Let ao, aj, a>, . . . be integers with aj, ap, . . . positive. Then [ag; a), 
ay, .. .] is irrational. 
Proof. Let a = [dp; aj, a2, ...], and let 

Cy = P/Q = (ag; 44, an, .. . ay] 


denote the kth convergent of a. When n is a positive integer, Theorem 12.13 shows that 
Con < a < Coy44, SO that 


0 <a — Con < Cony1 — Crn- 


However, by Corollary 12.10.2, we know that 


1 
Con+1 < Coy, =. _ 
92n+192n 
which means that 
1 
jee2c, 722. — > 


9 
92n 92n+192n 


and, therefore, we have 


0 < aq2n — Pon < : 
92n+1 


Assume that @ is rational, so that a = a/b, where a and b are integers with b 4 0. Then 


1 
b 92n+1 


and by multiplying this inequality by b, we see that 


0 < ago, — bprn, < ——. 
92n+1 
Note that aq, — bp2y is an integer for all positive integers n. However, because q>,,4; > 
2n + 1, for each integer n there is an integer mg such that g2,,,1 > b, so that b/qon 41 < 1. 
This is a conwadiction, because the integer aq, — bp2, cannot be between 0 and 1. 
We conclude that @ is irrational. 7 


We have demonstrated that every infinite simple continued fraction represents an 
irrational number. We will now show that every irrational number can be uniquely 
expressed by an infinite simple continued fraction, by first constructing such a continued 
fraction, and then by showing that it is unique. 


Theorem 12.15. Let @ =a be an irrational number, and define the sequence 
dp, 41, A, .. . recursively by 


a, =[ax] O41 = 1/(@, — ay) 
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for k =0, 1, 2,.... Then @ is the value of the infinite simple continued fraction 
[a9; a, an,...|. 


Proof. From the recursive definition of the integers a,, we see that a, is an integer for 
every k. Furthermore, using mathematical induction, we can show that a; is irrational 
for every nonnegative integer k and that, as a consequence, a, exists. First, note that 
Qo = @ is irrational, so that ag 4 dp = [a9] and a, = 1/(a@q — ap) exists. 


Next, we assume that a; is irrational. As a consequence, a, 1 exists. We can easily 
see that a4 is also irrational, because the relation 


p41 = 1/(0, — ay) 
implies that 


1 
(12.12) ay, =a, +—, 
Ok+1 


and if a, 4 were rational, then a, would also be rational. Now, because a, is irrational 
and a, is an integer, we know that a, 4 a;,, and 


ap<a,<a,+1, 
so that 

0<a,-—a, <1. 
Hence, 

Opi, = 1/(a, — a) > 1 

and, consequently, 

O41 = [O41] > 1 
for k = 0, 1, 2, .... This means that all the integers a), ay, . . . are positive. 


Note that by repeatedly using (12.12), we see that 


1 
0! = Oly = dg + —— = [aps a) 
1 


1 
= 40 qe [a9; a1, a2] 
ay+ — 


= ag + ——— = [G9 1, 0, . - - , Ag, Op 44]. 


OkK41 
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What we must now show is that the value of [ag; a1, a2, ... , Ay, @4 4] tends to a ask 
tends to infinity, thatis, as k grows without bound. By Theorem 12.9, we see that 
O%41PK + PR-1 


a= [a3 41, «225 A, 41] = ’ 
e419 + Wk-1 


where C j=Pj /q : is the jth convergent of [a9; a), a, . . .]. Hence, 


pee e+ 1Pk + Pk-1 Pr 
On419k + 9Ik-1 Ak 
—(Pe9k-1 — Pr—-19k) 
(419% + Uk-D9k 
7 _(-pk-1 
(419k + Mk—-IK 


where we have used Theorem 12.10 to simplify the numerator on the right-hand side of 
the second equality. Because 


e419 T Wk—1 > Ue 419k + Uk-1 = Ue 


we see that 


la —C,| < : 
Qk4k+1 


Because gq; > k (from Exercise 11 of Section 12.2), we note that 1/(q,q;,41) tends to zero 
as k tends to infinity. Hence, C; tends to @ as k tends to infinity or, phrased differently, 
the value of the infinite simple continued fraction [a9; a1, ay, .. .Jisa@. r 


To show that the infinite simple continued fraction that represent an irrational 
number is unique, we prove the following theorem. 
Theorem 12.16. If the two infinite simple continued fractions [ag; a), a2, .. .] and 


[bo; 51, bo, . . .] represent the same irrational number, then a, = b; fork =0, 1, 2,.... 


Proof. Suppose that aw = [a; a}, az, .. .]. Then, because Co = ag and C; = ag + 1/aj, 
Theorem 12.11 tells us that 


ag <a <ag+t+ 1/a, 
so that dy = [a]. Further, we note that 


1 
[a9; a1, ao, .. ._=ag + ——————_, 
[a3 a7, A3,-. | 


because 
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a = [dp; a1, az, ...]= lim [dp; ay, az, ... , ay] 
k>oo 
‘ 1 
= lim | @g + —- 
k-00 [a13 A, a3, ..., ax] 
1 
= ay + ———_________ 
lim [a1;a2,..., ay] 
k->0o 
1 
= ag 


[413 4, a3,...] 
Suppose that 
[493 41, 42, .. .]=[bp; bj, bo, . . .]. 
Our remarks show that 
ag = by = [a] 
and that 


1 
ay + ———— = 


1 
— —__.. 
(a1; aa,.. | [b1; bo, aya | 


so that 
[ay3a,...J=[by3b,,..) 


Now, assume that a, = b;, and that [ay443a¢49, - - -] = [bp413 by, - - -]. Using the same 
argument, we see that a,,, = 5,11, and 


1 1 
ay.) + —————. = by. + ——_—, 
[2p 423 p43, -- .] [Dy413 by43) - "| 
which implies that 
[ay 423 On43 ---] = [dp423 dp 43, - - +]: 
Hence, by mathematical induction, we see that a, = b, fork = 0, 1,2, .... | 


To find the simple continued fraction expansion of a real number, we use the 
algorithm given in Theorem 12.15. We illustrate this procedure with the following 
example. 


Example 12.10. Let a = /6. We find that 


ieee ee _V6+2 


S 
| 
i) 
bo 


2 


= —— = a. 


ay =[V6+ 2] =4, a3n= 
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Because a3 = aj, we see that a3 = a), dg = ap, ..., and so on. Hence, 
/6 = [2;2, 4, 2, 4, 2, 4, ...] 
The simple continued fraction of \/6 is periodic. We will discuss periodic simple con- 


tinued fractions in the next section. <q 


The convergents of the infinite simple continued fraction of an irrational number are 
good approximations to a. This leads to the following theorem, which we introduced in 
Exercise 34 of Section 1.1. 


Theorem 12.17. Dirichlet’s Theorem on Diophantine Approximation. If a is an 
irrational number, then there are infinitely many rational numbers p/q such that 


la — p/q| < 1/q’. 


Proof. Let px/q, be the kth convergent of the continued fraction of a. Then, by the 
proof of Theorem 12.15, we know that 


Lo — plan l< 1/ (4K 941): 


Because 4; < 4,41, it follows that 


|x — pe/qx \< 1/9%. 


Consequently, the convergents of a, p,/q,, kK = 1, 2,..., are infinitely many rational 
numbers meeting the conditions of the theorem. 7 


The next theorem and corollary show that the convergents of the simple continued 
fraction of a are the best rational approximations to a, in the sense that p;/q;, is closer 
to a than any other rational number with a denominator less than g,. (See Exercise 17 
for the best rational approximations to a real number for all denominators.) 


Theorem 12.18. Let a be an irrational number and let p : /q 7 j=1,2,..., be the 
convergents of the infinite simple continued fraction of a. If r and s are integers with 
s > 0 and if k is a positive integer such that 


|sa —r| < |q,a — pxl, 
then s > qx41. 


Proof. Assume that |sa — r| < |g,za — p,z|, but that 1< s < q,,). We consider the 
simultaneous equations 


PRX + PRpiy =P 
TUX + RY =S. 
By multiplying the first equation by q; and the second by p,, and then subtracting the 


second from the first, we find that 


(PK419k — PrI+VY =" — SPx- 
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By Theorem 12.10, we know that py..19% — Px4x4.1 = (—D*, so that 


y =(—1)* (rx — spr). 


Similarly, multiplying the first equation by g,,, and the second by p;,;, and then 
subtracting the first from the second, we find that 


x = (—DF (spyy1 — 14K+0- 


We will now show that s #0 and y £0. If x =O, then sp,,;=7rq,,,. Because 
(Pri. M+) = 1, Lemma 3.4 tells us that g,44|s, which implies that q,,, < 5, contrary 
to our assumption. If y = 0, thenr = p,;x and s = q;x, so that 


[sa — | = |x| |qgor — pyl 2 logo — Dx, 
because |x| > 1, contrary to our assumption. 


Next, we show that x and y have opposite signs. First, suppose that y < 0. Because 
OX =S — Qp+1y, we know that x > 0, because q,x > 0 and q; > 0. When y > 0, because 
+1 = WMk+1 > 5, we see that q.x = s — gyi y <0, so that x < 0. 


By Theorem 12.11, we know that either py/qy <a < Pxii/Qx41 Or that 


Pxti/Q+1 < % < Px/Q,. In either case, we easily see that qua — p, and qy4;@ — Ppit 
have opposite signs. 


From the simultaneous equations we started with, we see that 
[sor — | = 1(Qux + Qep1y)e — (Pex + PR+i)| 
= |x (Quo — Pp) + VQK41% — Prt: 


Combining the conclusions of the previous two paragraphs, we see that x(q,a@ — p,;) and 
y(Qx41% — Px+ 1) have the same sign, so that 


Isa —r| = |x| |quoe — Pyl + lyl lag yi% — Pri 
> |x| |qxe — Pgl 
> 1440 — Pxl, 
because |x| > 1. This contradicts our assumption. 
We have shown that our assumption is false, and, consequently, the proof is com- 


plete. 7 


Corollary 12.18.1. Let @ be an irrational number and let p j/4jp J =1,2,---5 be the 
convergents of the infinite simple continued fraction of a. If r/s is a rational number, 
where r and s are integers with s > 0, and if k is a positive integer such that 


la —r/s| < lo — px/Qxl: 
then s > q,. 


Proof. Suppose that s < q, and that 


la — r/s| < lo — px/al- 
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By multiplying these two inequalities, we find that 
sla —1r/s| <4xl@ — Px/ kl: 


so that 


|sa —r| < |q,a — pxl, 


violating the conclusion of Theorem 12.18. rT 


Example 12.11. The simple continued fraction of the real number z is a = [3; 7, 15, 
1, 292, 1, 1, 1, 2, 1, 3, ...]. Note that there is no discernible pattern in the sequence 
of partial quotients. The convergents of this continued fraction are the best rational 
approximations to z. The first five are 3, 22/7, 333/106, 355/113, and 103,993/33,102. 
We conclude from Corollary 12.18.1 that 22/7 is the best rational approximation of z 
with denominator less than or equal to 105, and so on. < 


Finally, we conclude this section with a result that shows that any sufficiently close 
rational approximation to an irrational number must be a convergent of the infinite simple 
continued fraction expansion of this number. 


Theorem 12.19. If q@ is an irrational number and if r/s is a rational number in lowest 
terms, where r and s are integers with s > O such that 


la — r/s| < 1/(2s), 
then r/s is a convergent of the simple continued fraction expansion of a. 


Proof. Assume that r/s is not a convergent of the simple continued fraction expansion 
of a. Then there are successive convergents p;/q, and p;41/q,41 such thatq, <s < qy44. 
By Theorem 12.18, we see that 

l4e% — Py| < |sa —r| =sla —r/s| < 1/(2s). 
Dividing by q;, we obtain 


la — py/axl < 1/(2sq,). 


Because we know that |sp; — rq,| = 1 (we know that sp, — rq, is a nonzero integer 
because r/s # p;/q,), it follows that 


ak. < IsPx — 79x 
Sk Sk 
PR_? 


% S§ 
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(where we have used the triangle inequality to obtain the second inequality). Hence, we 
see that 


1/2sq, < 1/2s?. 
Consequently, 
25q, > 257, 


which implies that g, > s, contradicting the assumption. | 


Applying Continued Fractions to Attack the RSA Cryptosystem We can use a 
version of Theorem 12.19 for rational numbers to explain why an attack on certain 
implementations of RSA ciphers works. We leave it as an exercise to prove that this 
version of Theorem 12.19 is valid. 


Theorem 12.20. Wiener’s Low Encryption Exponent Attack on RSA. Suppose that 
n = pq, where p and q are odd primes with qg < p < 2q, and that d < n/*4/3. Then, 
given an RSA encryption key (e, n), the decryption key can be found using O ((log n)*) 
bit operations. 


Proof. We will base the proof on approximation of a rational number by continued 
fractions. First, note that because de = 1 (mod ¢(n)), there is an integer k such that 
de — 1=kd(n). Dividing both sides of this equation by d¢(n), we find that 
e Lo k 
o(n) do(n) d’ 


which implies that 
e kK 1 
gin) d  db(n)’ 
This shows that the fraction k/d is a good approximation of e/@(n). 


Note also that g < ./n, because g < p andn = pq by the hypotheses of the theorem. 
Using the hypothesis that q < p, it follows that 
p+q—1<2q+q-1=3q -—1<3Vn. 
Because ¢(n) =n — p—q +1, we see thatn — O(n) =n-(n-—p-—qt+l=pt+ 
g—1<3/n. 
We can make use of this last inequality to show that k/d is an excellent approxima- 
tion of e/n. We see that 
e k | __|de—kn 
| ond 
_ | de —kp(n)) — (kn + kb (0) 
nd 
1—k(n od e 3k./n 3k 
nd ~ nd dfn 


na 


12.3 
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Because e < #(n), we see that ke < k(n) = de — 1 < de. This implies that k < d. We 
now use the hypothesis that d < n'/4/3 to see that k < n'/4/3. 

It follows that 
e_kl_ 3k./n - 3(n/4/3)./n 1 shal 
n d\| nd ~— nd dn/4 = 2q2° 
We now use the version of Theorem 12.19 for rational numbers. By this theorem, we 
lenow that k/d is a convergent of the continued fraction expansion of e/n. Note also that 
both e and n are public information. Consequently, to find k/d we need only examine 
the convergents of e/n. Because k/d is a reduced fraction, to check each convergent to 
see whether it equals k /d, we suppose that its numerator equals k. We then use this value 
to compute ¢(n), because ¢(n) = (de — 1)/k. We use this purported value of @(n) and 
the value of n to factor n (See the discussion in Section 8.4 to see how this is done). 
Once we have found k/d, we know d because k/d is a reduced fraction and d is its 
denominator. To see that k/d is reduced, note that ed — k(n) = 1, which implies, by 
Theorem 3.8, that (d, k) = 1. Because computing all convergents of a rational number 
with denominator n uses O((log n)?) bit operations, we see that d can be found using 
O ((log n)?) bit operations. | 


EXERCISES 


. Find the simple continued fractions of each of the following real numbers. 


a) /2 b) V3 c) V5 d) (1+ /5)/2 

. Find the first five partial quotients of the simple continued fractions of each of the following 
real numbers. 
a) /2 b) 2x c)(e—D/(e+1) d)(e2—1/(e2 +1) 


3. Find the best rational approximation to 2 with a denominator less than or equal to 100,000. 


4. The infinite simple continued fraction expansion of the number e is 


e= (2; 1, 2, 1,.1,4, 1-16, 1,1, 83.45 2) 


a) Find the first eight convergents of the continued fraction of e. 
b) Find the best rational approximation to e having a denominator less than or equal to 536. 


. Let @ be an irrational number with simple continued fraction expansion a = [dp; a, 


a,,...]. Show that the simple continued fraction of —@ is [—dp — 1;1, a, —1, a, 
a3,-. | if a, > land [—ap = 1; ay + 1, a3,.. | if a, =1. 


. Show that if p,/q, and py11/qz41 are consecutive convergents of the simple continued 


fraction of an irrational number a, then 
la — py/ xl < 1/(24%) 
or 


le — Dey1/9e41l < 1/(247,,)- 
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(Hint: First show that la — pxys/Qeail + lo — Pe/Qel = |Peas/Qe+41 — Pr/Qkl = 
1/(9%9k-+1)+) 


7. Let @ be an irrational number a > 1. Show that the kth convergent of the simple continued 
fraction of 1/a is the reciprocal of the (k — 1)th convergent of the simple continued fraction 
of a. 


8. Leta be an irrational number and let p;/q ; denote the jth convergent of the simple continued 
fraction expansion of a. Show that at least one of any three consecutive convergents satisfies 
the inequality 


la — pj/qj| < 1/(/5q7). 


Conclude that there are infinitely many rational numbers p/q, where p and q are integers 
with g 4 0, such that 


la — p/q| < 1/(W5q”). 


9. Show that if a = (1+ J/5) /2, and c> ./5, then there are only a finite number of rational 
numbers p/q, where p and q are integers, g # 0, such that 


la — p/q| < 1/(cq). 


(Hint: Consider the convergents of the simple continued fraction expansion of /5.) 


If w and £ are two real numbers, we say that 8 is equivalent to a if there are integers a, b, c, and 


— = b 
d such that ad — be = +1 and B = S247. 


10. Show that a real number a is equivalent to itself. 


11. Show that if a and f are real numbers with 8 equivalent to a, then a is equivalent to 8. Hence, 
we can say that two numbers a and £ are equivalent. 


12. Show that if aw, 8, and A are real numbers such that a and £ are equivalent and 6 and A are 
equivalent, then a and A are equivalent. 


13. Show that any two rational numbers are equivalent. 


14. Show that two irrational numbers a and f are equivalent if and only if the tails of their 


simple continued fractions agree, that is, if @ = [ap;a), a2,...,a a Cp Cay Cay 6 p= 
[bo; 54, bo, ba oe Dps C1, C2, C3, seals where a;, i = 0, 1, 2, Nene , J; 5;,i=0, 1, 2, 224k; and 
c;,i=1, 2,3, ... are integers, all positive except perhaps dp and bo. 


Let @ be an irrational number, and let the simple continued fraction expansion of a be a = 
[ap; aj, Az, ...]. Let py/qy, denote, as usual, the kth convergent of this continued fraction. We 
define the pseudoconvergents of this continued fraction to be 

Pkt/Qkt = (tPe—1 + Pr—2)/(t4e—-1 + Qk-2); 
where k is a positive integer, k > 2, and ¢ is an integer with 0 < t < ax. 
15. Show that each pseudoconvergent is in lowest terms. 


16. Show that the sequence of rational numbers py.7/qx,2) - - +» Pka,_,/Qk,ay_> Pk/Qk is increas- 
ing if k is even, and decreasing if k is odd. 


18. 
19. 


20. 
21. 


22. 
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Show that if 7 and s are integers with s > 0 such that 
la —r/s| <|a— Px,t/Qk,tl> 


where k is a positive integer and 0 < t < a, then s > gq, , or r/s = py_1/qx_1. This shows 
that the closest rational approximations to a real number are the convergents and pseudocon- 
vergents of its simple continued fraction. 


Find the pseudoconvergents of the simple continued fraction of 2 for k = 2. 


Find a rational number r/s that is closer to 7 than 22/7 with denominator s less than 106. 
(Hint: Use Exercise 17.) 
Find the rational number r/s that is closest to e with denominator s less than 100. 
Show that the version of Theorem 12.19 for rational numbers is valid. That is, show that if 
a, b,c, and d are all integers with b and d nonzero, (a, b) = (c, d) = 1, and 

1 
2d?’ 


then c/d is a convergent of the continued fraction expansion of a/b. 


Show that computing all convergents of a rational number with denominator n can be done 
using O((log n)*) bit operations. 


Computations and Explorations 


1. Compute the first 100 partial quotients of each of the real numbers in Exercise 2. 


. Compute the first 100 partial quotients of the simple continued fraction of e”. From this, find 


the rule for the partial quotients of this simple continued fraction. 


. Compute the first 1000 partial quotients of the simple continued fraction of 7. What is the 


largest partial quotient that appears? How often does the integer 1 appear as a partial quotient? 


Programming Projects 


1. 
2. 


12.4 


Given a real number x, find the simple continued fraction of x. 


Given an irrational number x and a positive integer n, find the best rational approximation to 
x with denominator not exceeding n. 


Periodic Continued Fractions 


In this section, we study infinite continued fractions that are periodic. We will show that 
an infinite continued fraction is periodic if and only if the real number it represents is a 
quadratic irrationality. We begin with a definition. 


Definition. Periodic Continued Fractions. We call the infinite simple continued 
fraction [@g; a), a2, . . .]periodic if there are positive integers N and k such that a, = a,4, 
for all positive integers n with n > N. We use the notation 


[493 41, 42, .--, @n—1, Gy, Any On+K-11 
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to express the periodic infinite simple continued fraction 


[493 4}, 42,---, Ay_1, On, On41,---, @n4k-1, 4n, An41 ---l- 
For instance, [1; 2, 3, 4] denotes the infinite simple continued fraction [1; 2, 3, 
4, 3, 4,3; 40.5), 


In Section 12.1, we showed that the base b expansion of a number is periodic if and 
only if the number is rational. To characterize those irrational numbers with periodic 
infinite simple continued fractions, we need the following definition. 


Definition. Quadratic Irrationalities. The real number a is said to be a quadratic 
irrationality if a is irrational and is a root of a quadratic polynomial with integer 
coefficients, that is, 


Aa? + Ba +C =0, 
where A, B, and C are integers and A 4 0. 
Example 12.12. Let a = 2 + J/3. Then a is irrational, for if a were rational, then by 


Exercise 3 of Section 1.1,a —2= /3 would be rational, contradicting Theorem 3.18. 
Next, note that 


a? — 4a +1= (74+ 473) —4(2 + V3) +: 1=0. 
Hence, a is a quadratic irrationality. < 
We will show that the infinite simple continued fraction of an irrational number is 


periodic if and only if this number is a quadratic irrationality. Before we do this, we first 
develop some useful results about quadratic irrationalities. 


Lemma 12.1. The real number a is a quadratic irrationality if and only if there are 
integers a, b, and c with b > 0 and c # 0 such that b is not a perfect square and 


a=(a + /b)/c. 


Proof. Ifa is a quadratic irrationality, then @ is irrational, and there are integers A, B, 
and C such that Aa? + Ba + C = 0. From the quadratic formula, we know that 


ee —B+./B2—4AC 
= 2A ; 


Because a is a real number, we have B? — 4AC > 0, and because aq is irrational, 
B? — 4AC is not a perfect square and A # 0. By either talaing a = —B, b = B? — 4AC, 
andc = 2A, ora = B, b= B — 4AC, andc = —2A, we have our desired representation 
of a. 


Conversely, if 


a=(at+ vVb)/c, 
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where a, b, and c are integers with b > 0, c £0, and b not a perfect square, then by 
Exercise 3 of Section 1.1 and Theorem 3.18, we can easily see that q@ is irrational. 
Furthermore, we note that 


ca? — 2aca + (a” — b) =0, 
so that w is a quadratic irrationality. rT] 
The following lemma will be used when we show that periodic simple continued 
fractions represent quadratic irrationalities. 
Lemma 12.2. If qa is a quadratic irrationality and if r,s, t, and wu are integers, then 
(ra + s)/(ta + u) is either rational or a quadratic irrationality. 


Proof. From Lemma 12.1, there are integers a, b, andc withb > 0, c 40, and b nota 
perfect square, such that 


a=(at+ Vb) /c. 
Thus, 
sii [eet leet 
_ (ar+es)+ rVb 
(at +cu)+tvVb 


_ (artes) + rVbl{(at + cu) — tVb] 
~ [(at + cu) + tVb][(at + cu) — tv] 

[(ar + cs)(at + cu) — rtb]+[r(at + cu) —t(ar + cs) Vb 
~ (at + cu)? — t2b , 


Hence, by Lemma 12.1, (ra + s)/(ta + u) is a quadratic irrationality, unless the coef- 
ficient of \/b is zero, which would imply that this number is rational. rT 


In our subsequent discussions of simple continued fractions of quadratic irrational- 
ities, we will use the notion of the conjugate of a quadratic irrationality. 


Definition. Let a = (a + /b)/c be a quadratic irrationality. Then the conjugate of a, 
denoted by a’, is defined by a’ = (a — /b)/c. 


Lemma 12.3. If the quadratic irrationality a is a root of the polynomial Ax? + Bx + 
C = 0, then the other root of this polynomial is a’, the conjugate of a. 


Proof. From the quadratic formula, we see that the two roots of Ax? + Bx + C =0 
are 


—B+/B2—4AC 
2A , 


If w is one of these roots, then a’ is the other root, because the sign of / B2 — 4AC is 
reversed to obtain a’ from a. | 
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The following lemma tells us how to find the conjugates of arithmetic expressions 
involving quadratic irrationalities. 


Lemma 12.4. If a, = (a, + byV/d)/c, and a = (ay + bpd) /c2 are rational numbers 
or quadratic irrationalities, then 

(i) (ay +49)’ =a} +a, 

(ii) (@ — a)’ =a, — a, 

(iii) (@ ya)’ = ajar, 

(iv) (@/o)’ = a) /o5. 
The proof of (iv) will be given here; the proofs of the other parts are easier and appear 
at the end of this section as problems for the reader. 


Proof of (iv). Note that 


_ @qt bw/d)/c, 

(ay + byWVd)/cy 

_ €y(a, + bpd) (ay — bad) 

~ €4(ay + by d) (ay — bad) 

(C94 — Cybybad) + (c2azb1 — cpayb)Vd 
= c (a2 — b3d) 


01/02 


? 


whereas 
or, /aL, = (a, = bJ/d)/c; 
(ay — byV/d)/cy 
_ €n(ay — byV'd) (ay + bpV ad) 
€ (az — bad) (a + by) 
__ (€24 142 — Cabybad) — (C2ab1 — C2Qby)/d 
c\(a — bed) 
Hence, (0t;/a2)' = ar} /a05. = 


The fundamental result about periodic simple continued fractions is called La- 
grange’s theorem (although part of the theorem was proved by Euler). (Note that this 
theorem is different from Lagrange’s theorem on polynomial congruences discussed in 
Chapter 9. In this chapter, we do not refer to that result.) Euler proved in 1737 that a 
periodic infinite simple continued fraction represents a quadratic irrationality. Lagrange 
showed in 1770 that a quadratic irrationality has a periodic continued fraction. 


Theorem 12.21. Lagrange’s Theorem. The infinite simple continued fraction of an 
irrational number is periodic if and only if this number is a quadratic irrationality. 
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We first prove that a periodic continued fraction represents a quadratic irrationality. 
The converse, that the simple continued fraction of a quadratic irrationality is periodic, 
will be proved after a special algorithm for obtaining the continued fraction of a quadratic 
irrationality is developed. 


Proof. Let the simple continued fraction of a be periodic, so that 


a= [ao; Q},4),..-An_1, 4nN, AN41,---; an+kl- 
Now, let 
B = (ay; 4y41,-- +> Qn+el- 
Then 
B =[ay;3ay41,---, An+z, Bl, 


and by Theorem 12.9, it follows that 


Pee 
(12.13) mie cy 
Ban + W-1 
where p;/q, and py_/qx—1 are convergents of [ay;@y1j,...,@y+ 4]. Because the 


simple continued fraction of f is infinite, 6 is irrational, and by (12.13), we have 
quB? + (Gx_-1 — Px)B - Pr-1 =9, 
so that 8 is a quadratic irrationality. Now, note that 


a= [a3 a4, a2, ..+,aAN_-15 B), 
so that, from Theorem 12.11, we have 


ee Bpn-1+ Pn-2 
Ban-1+ 9n-2 


where py_;/qn_—1and py_>/qn_2 are convergents of [a9; a), a2, . .., Ay_]. Because B 
is a quadratic irrationality, Lemma 12.2 tells us that a is also a quadratic irrationality (we 
know that @ is irrational because it has an infinite simple continued fraction expansion). 

a 


The following example shows how to use the proof of Theorem 12.21 to find the 
quadratic irrationality represented by a periodic simple continued fraction. 


Example 12.13. Let x = [33 1, 2]. By Theorem 12.21, we know that x is a quadratic 
irrationality. To find the value of x, we let x = [3; y], where y = [1; 2], as in the proof of 
Theorem 12.21. We have y = [1; 2, y], so that 
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It follows that 2y? — 2y — 1=0. Because y is positive, by the quadratic formula, we 
have y = ee Because x = 3+ = we have 
2 2-J3_ 443 


x=34+ ——=34 = 
1+ 73 —2 2 < 


To develop an algorithm for finding the simple continued fraction of a quadratic 
irrationality, we need the following lemma. 


Lemma 12.5. If @ is a quadratic irrationality, then @ can be written as 
a =(P + V4d)/Q, 
where P, Q, andd are integers, Q 4 0, d > 0, d isnota perfect square, and Q|(d — P?), 


Proof. Because @ is a quadratic irrationality, Lemma 12.1 tells us that 
a = (a+ vb)/c, 


where a, b, and c are integers, b > 0, and c #4 0. We multiply both the numerator and 
the denominator of this expression for a by |c| to obtain 


ie a\c| + Vbc? 
7 cle| 


(where we have used the fact that |c| = V/c2), Now, let P = alc|, Q =cl|c|, and d = bc”. 
Then P, Q, and d are integers, Q 4 0, because c 4 0, d > 0 (because b > 0), d is not 
a perfect square because b is not a perfect square, and, finally, Q|(d — P”) because 
d — P? = bc? — a*c* = c?(b — a”) = + O(b — a”). | 

We now present an algorithm for finding the simple continued fractions of quadratic 


irrationalities. 


Theorem 12.22. Let a be a quadratic irrationality, so that by Lemma 12.5 there are 
integers Pp, Qo, and d such that 


a = (Py + Vd)/Qo, 
where Qy # 0, d > 0,7 d is not a perfect square, and Qo|(d — Pe), Recursively define 
oy = (Py + Vd)/Ox, 
ax, = [ox], 
Pyi1 = 4 Qe — Pr, 
Oui = — Pyyy)/ Ox, 
fork =0, 1, 2,.... Then a = [dg; aj, ao, .. .]. 


Proof. Using mathematical induction, we will show that P, and Q, are integers with 
Q;, #0 and Q,|(d — P?), fork =O, 1, 2, .... First, note that this assertion is true for 
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k = 0 from the hypotheses of the theorem. Next, assume that P, and Q, are integers with 
Q, #0 and Q;,|(d — P?). Then, 


Pyy1 = 4,.Q, — Py 
is also an integer. Further, 
Ons1 = (d — P?,,)/ Ox 
= [d — (a, 0, — Pr) V Ox 
= (d — P2)/Oy + (2a, Pp — 4% Ox)- 


Because Q;|(d — P2), by the induction hypothesis we see that Q;,; is an integer, and 
because d is not a perfect square, we see that d # P2, so that Oxp41= (d- Pe + p/Q, #9. 
Because 


Oy = (d — Pe, 1)/ Qe 
we can conclude that Q;,;|(d — Pe ',)- This finishes the inductive argument. 


To demonswrate that the integers ag, a1, a2, . . . are the partial quotients of the simple 
continued fraction of a, we use Theorem 12.15. If we can show that 


O41 = 1/(@, — ay), 


fork =0, 1,2, ..., then we know that a = [ap; aj, ao, . . .]. Note that 
P, + Jd 
a, — Ay = —— — & 
Q; 


= [Vd — (a, Qx — Py) Qe 

= (Vd — Py41)/Qx 

= (Vd — Pes )(Wd + Pr4s)/Op/d + Pyx1) 
= (d — Pe, ,)/(Ox(W/d + Py 41)) 

= O,On41/(Ox(Vd + Pr) 

= Onsi/(Vd + Py41) 


= 1/ay41, 
. . 2 . 
where we have used the defining relation for Q;, 4, to replace d — Py: , with Q,Q;+1. 
Hence, we can conclude that a = [a; aj, ao, .. .]. = 


We illustrate the use of the algorithm given in Theorem 12.22 with the following 
example. 


Example 12.14. Let a = (3+ /7)/2. Using Lemma 12.5, we write 
a = (64+ V28)/4, 
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where we set Py = 6, Op = 4, and d = 28. Hence, ag = [a] = 2, and 
Pj =2-4-6=2, a, = (2+ V28)/6, 
Q,=(28—2%)/4=6, a;=[(2+ V28)/6] =1, 


Ra lea 2S, ory = (4 + 28) /2 
Oy = (28—47)/6=2, ay =[(4 + V28)/2] = 4, 


Boa 2 4S 4, a = (4 + V28)/6, 
03=(28-47)/2=6  a3=[(4+ ¥28)/6] =1, 


Py=1-6-4=2, oy = (2+ V28)/4, 
O4=(28-27)/6=4,  a,=[(2+ V28)/4] =1, 


Ps=1-4-2=2, as = (2+ V28)/6, 
Q5=(28—27)/4=6, as=[(2+ V28)/6] =1, 
and so on, with repetition, because P; = P; and Q,; = Qs. Hence, we see that 
B4+V77)/2= (2214.41 14 Td, 6] 
= [2;1,4, 1, I. ™ 


We now finish the proof of Lagrange’s theorem by showing that the simple continued 
fraction expansion of a quadratic irrationalities is periodic. 


Proof of Theorem 12.21 (continued). Let a be a quadratic irrationality, so that by 
Lemma 12.5, we can write a as 


a = (Py + V'd)/Qp. 
Furthermore, by Theorem 12.20, we have a = [ag; a1, ay, .. .], where 
oy, = (Py + V'd)/Q,, 
ay, = [ax], 
Prt = 4, Q, — Px; 
Ox+1 = (d — Pp, )/ Qk 
fork =0,1,2,.... 
Because a = [dp; aj, ao, ..., a], Theorem 12.11 tells us that 
Of = (py_10e + Pr—2)/(Qu—1%% + 9x-2)- 


Talaing conjugates of both sides of this equation, and using Lemma 12.4, we see that 


(12.14) oe! = (py_yoe, + Pe_2)/(Qu—10%e + Ge-2): 
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When we solve (12.14) for Ol» we find that 


/_ Pk=2 
aa 
£ a = 

9k-1 Gea 


Note that the convergents py_>/q,_2 and py_1/q,z_, tend to a as k tends to infinity, so 


that 
g! — Pk-2 i: af = Peal 
Wk—2 Ik-1 


tends to 1. Hence, there is an integer N such that On, < 0 fork > N. Because a; > 0 for 
k > 1, we have 


/ P,+ Vd P, — Vd 2/d 
6 6, = 0} 
OQ; OQ; OQ; 
so that OQ; > Ofork > N. 


Because Q;,0;4,; =d — Pe we see that fork > N, 


Ox < O,Ouy1=d — Phy <d. 


Also for k > N, we have 
2 a. 
Pe SO = Poy — Qe Ques 
so that 
—Vd < Py, < Vd. 


From the inequalities 0 < Q; <d and aWJa< Py < /d, which hold for k > N , wesee 
that there are only a finite number of possible values for the pair of integers P,, Q; for 
k > N. Because there are infinitely many integers k with k > N, there are two integers 
i and j such that P; = P; and Q; = Q; with i < j. Hence, from the defining relation 
for a,, we see that a; = a;. Consequently, we can see that a; = aj, Gj, =4j+1, 4j42= 
Bj42.--+- Hence, 


a= [ag; a, QQ, -.-, Aj_}, Qj, Qj44,---; aj-1 Qj, Aj4j,--+-, aj-1 eve | 
= [d93 41, Qo, ..., Qj—1, Gj, Aj44,---, a;_}].- 
This shows that a has a periodic simple continued fraction. = 


Purely Periodic Continued Fractions Next, we investigate those periodic simple 
continued fractions that are purely periodic, that is, those without a pre-period. 


Definition. The continued fraction [ag; a), a2, .. .] is purely periodic if there is an 
integer n such that a, = a,4,, fork =0, 1, 2,..., so that 


[aq; aj, Q),.. | = [ao; Qa), 422, A3,...-, Qn—1]- 


512 


Decimal Fractions and Continued Fractions 


Example 12.15. The continued fraction [2;3] = (1+ /3)/2 is purely periodic, 
whereas [2;2, 4] = V6 is not. < 


The next definition and theorem describe those quadratic irrationalities with purely 
periodic simple continued fractions. 


Definition. A quadratic irrationality a is called reduced if a > 1 and —1 <a’ <0, 
where a’ is the conjugate of a. 


Theorem 12.23. The simple continued fraction of the quadratic irrationality a is purely 
periodic if and only if a is reduced. Further, if w is reduced and a = [dp; aj, a2, ..-, ay]; 
then the continued fraction of —1/a’ is [a,;@,_1,..-,5 Ql. 


Proof. First, assume that a is a reduced quadratic irrationality. Recall from Theorem 
12.18 that the partial fractions of the simple continued fraction of aw are given by 


Ay, = [Oy], ey = 1/( — a), 
fork =0,1,2,..., where ag = a. We see that 
1/ay 41 = Oy — ag, 


and by taking conjugates and using Lemma 12.4, we see that 


(12.15) 1/o,, = Oy, — ag. 
We can prove, by mathematical induction, that —1 < a, <0 fork =0, 1, 2,.... First, 
note that because ay = a@ is reduced, —1 < ay < 0. Now, assume that —1 < Oy < 0. Then, 
because a, > 1 for k = 0, 1, 2, . . . (note that ag > 1 because aw > 1), we see from (12.15) 
that 

I/o,,,<-1, 


so that —1 < Opa < 0. Hence, -1< a, < 0 fork =0, 1,2,.... 

Next, note that from (12.15) we have 

oy, = ag + Voy, 1, 
and because —1 < ay < 0, it follows that 
—l<a,+1/a,,,<0. 
Consequently, 
—1— 1a, <a < —1/oy,,, 
so that 
a, = [—1/a,, 1]. 


Because @ is a quadratic irrationality, the proof of Lagrange’s theorem shows that there 
are nonnegative integers i and j, i < j, such that a; =a@,, and hence with —1/a/ = 
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—1/a'. Because a;_; = [—1/a;] and a,_; = [— 1/or',], we see that a;_; = a;_. Further- 
more, because a@;_, = a;_; + 1/a; anda ;_; =aj;_; + 1/a,, we also see thata;_, =a j_}. 
Continuing this argument, we see that a;_» = @;_2, @j_3 =@;_3, ..., and, finally, that 
a = a;_;. Because 


A-a= [ao; Qj, +455 aj-i-1) a 1] 
= [ao; Qj, .++, aj-i-1) ao] 
= [43 4), .--, 4j—-;-1], 


we see that the simple continued fraction of a is purely periodic. 


To prove the converse, assume that a is a quadratic irrationality with a purely pe- 
riodic continued fraction a = [dp; aj, a2, ... , ax]. Because a = [dp; a1, dp, ... , Ay, a), 
Theorem 12.11 tells that 


oe ap, + Pr-1 
Og, + FK-1 


where p,_1/q,—1 and p;,/q, are the (k — 1)th and kth convergents of the continued 
fraction expansion of a. From (12.16), we see that 


(12.16) 


(12.17) quo” + (qn—-1 — Pre — Py_1 =0. 
Now let 6 be the quadratic irrationality such that 8 = [a;; a,_1, ..., Qj, Ag], that is, with 
the period of the simple continued fraction for a reversed. Then B = [a;;a,_1,..., @, 
ao, B), so that by Theorem 12.11, it follows that 
/ + / _ 
(12.18) = alae 
BQ, + Q-1 


where p,_,/q,_, and p),/q, are the (k — 1)th and kth convergents of the continued 
fraction expansion of 8. Note, however, from Exercise 10 of Section 12.2, that 


Px/ Pe—1 = [0y5 g—-1, «+» QA 20] = Pi / 4 
and 
Gk 9x1 = [ays Apts ©» 42, G1] = Py_y/ MG _1- 


Because pj,_,/q,_, and p,/q;, are convergents, we know that they are in lowest terms. 
Also, pz/Px—1 and q;,/gq,_1 are in lowest terms, because Theorem 12.12 tells us that 


PrQk—1 — Pe—19% = (—1)*“!. Hence, 
Py=Pkr = Prt 
and 
Py-1 = Qk: V1 = Qk-1- 
Inserting these values into (12.18), we see that 


_ _ BPR T Ge 
BPe-1 + Gx-1 
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Therefore, we know that 
Pr-1B> + e-1 — PB - 1% = 0. 

This implies that 

(12.19) qx(—1/B)” + (e—1 — Pe)(—-1/B) — Pe-1 = 0. 

By (12.17) and (12.19), we see that the two roots of the quadratic equation 
OX” + (Gk—-1 — PRIX — Pr_-1 = 0 


are a and —1/£, so that by the quadratic equation, we have a’ = —1/f. Because 


B =[G,34n_1; --- > 41, 4g], we see that 6 > 1, so that —1 < a’ = —1/B < 0. Hence, a is 


a reduced quadratic irrationality. 
Furthermore, note that because 8 = —1/a’, it follows that 


—1/o! = [a,3 4,1, -- +» 44, A). = 


We now find the form of the periodic simple continued fraction of /D, where D is 
a positive integer that is not a perfect square. Although JD is not reduced, because its 
conjugate, —/D, is not between —1 and 0, the quadratic irrationality [VD] + VD is 
reduced because its conjugate, [VD] — ./D, does lie between — 1 and 0. Therefore, from 
Theorem 12.23, we know that the continued fraction of [VD] + JD is purely periodic. 
Because the initial partial quotient of the simple continued fraction of [VD] + VD is 


[[VD] + VD] = 2[ VD] = 2ap, where ay = [VD], we can write 
[VD] +/D= [2a9; ay, 22,..., Ay] 
= [2dp; a1, Ap, ..-, Ay, 2Ap, Ay, ..-, Ay). 
Subtracting [a = /D from both sides of this equality, we find that 
VD = [ap3 a1, a2, ... 29, a4, a2, ... 2d, ..] 
= [ag; a1, 22, ..., An, Zag]. 
To obtain even more information about the partial quotients of the continued fraction 


of /D, we note that from Theorem 12.23, the simple continued fraction expansion of 


—1/ ([VD] - JD) can be obtained from that for [VD] + JD by reversing the period, 
so that 


V/(VD — [VD]) = [ays dy—1, - -- » a1, 2a]. 
But also note that 
VD — [VD] = [0; 4}, a2, --- 5 Gn, 2a], 
so that by taking reciprocals, we find that 


1/(VD — [VD]) = [ay; a9, ..., ay, 2ag).- 
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Therefore, when we equate these two expressions for the simple continued fraction of 


1/(’D — [VD]), we obtain 
QA, = ay, AQ = Ayn_-1,--+-, A, = A], 


so that the periodic part of the continued fraction for / D is symmetric from the first to 
the penultimate term. 


In conclusion, we see that the simple continued fraction of / D has the form 
V D = [d93 a), a9, ..., Ay, Ay, 2ag]. 


We illustrate this with some examples. 


Example 12.16. Note that 
V23 = [4; 1, 3, 1, 8] 
V731=[5, 1, 1, 3,5, 3, 1, 1, 10, 
46 = [6; 1, 2, 1, 1, 2, 6, 2, 1, 1, 2, 1, 12], 
76 = [8; 1, 2, 1, 1,5, 4,5, 1, 1, 2, 1, 16), 
and 
J/97 = [9;1,5, 1,1, 1,1,1,1,5, 1, 18), 


where each continued fraction has a pre-period of length 1, and a period ending with 
twice the first partial quotient, which is symmetric from the first to the next-to-the-last 
term. < 


The simple continued fraction expansions of /d for positive integers d such that d 
is not a perfect square and d < 100 can be found in Table 5 of Appendix D. 


EXERCISES 


. Find the simple continued fractions of each of the following numbers. 


a) /7 b) V11 c) /23 d) /47 e) /59 f) /94 


. Find the simple continued fractions of each of the following numbers. 


a) /101 b) 4103. ~—sc) 107 d)/201 —e) 203 f) /209 


. Find the simple continued fractions of each of the following numbers. 


a)1+/2 b) (2+ v5)/3 o) (5- v7)/4 


. Find the simple continued fractions of each of the following numbers. 


a) (1 4: V3) /2 b) (14 - V31) /3 c) (13 = v2)/7 


. Find the quadratic irrationality with each of the following simple continued fraction expan- 


sions. 
a) [2; 1, 5] b) [2; 1, 5] c) [2; 1, 5] 
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6. Find the quadratic irrationality with each of the following simple continued fraction expan- 
sions. 
a) [1; 2, 3] b) [1; 2, 3] c) [15 2, 3] 
7. Find the quadratic irrationality with each of the following simple continued fraction expan- 
sions. 
a) [3; 6] b) [4; 8] c) [5; 10] d) [6; 12] 
8. a) Letd bea positive integer. Show that the simple continued fraction of /d? + 1is [d; 2d]. 
b) Use part (a) to find the simple continued fractions of 101, 290, and / 2210. 
9. Let d be an integer, d > 2. 
a) Show that the simple continued fraction of /d? — 1 is [d — 1;1, 2d — 2]. 
b) Show that the simple continued fraction of /d? — d is [d — 1;2, 2d — 2]. 
c) Use parts (a) and (b) to find the simple continued fractions of /99, /110, /272, and 
/ 600. 
10. a) Show that if d is an integer, d > 3, then the simple continued fraction of /d* — 2 is 
[d —1;1,d—2, 1, 2d — 2]. 
b) Show that if d is a positive integer, then the simple continued fraction of /d? + 2 is 
[d;d, 2d]. 
c) Find the simple continued fraction expansions of »/47, V5, and /287. 
11. Let d be an odd positive integer. 
a) Show that the simple continued fraction of /d? + 4 is [d; 
(d — 1)/2, 1, 1, dd — 1)/ 2, 2d], ifd > 1. 
b) Show that the simple continued fraction of /d*—4 is [d —1;1, (d —3)/2, 2, 
(d — 3)/2, 1, 2d — 2], if d > 3. 
12. Show that the simplecontinued fraction of //d, where d is a positive integer, has period length 
one if and only if d = a? + 1, where a is a nonnegative integer. 
13. Show that the simple continued fraction of //d, where d is a positive integer, has period length 
two if and only if d = a2 + b, where a and b are integers, b > 1, and b|2a. 
14. Prove that ifa, = (a; + b/d) /c, and a = (a, + by/d)/c> are quadratic irrationalities, then 
the following hold. 
a) (a + ag)’ =a) + a, b) (a; — ag)! = a} — a), C) (0ya2)' = ar + 
15. Which of the following quadratic irrationalities have purely periodic continued fractions? 
a)1+/5 c)44+ 17 e) (3+ V23)/2 
b)2+ V8 d) (11 — /10)/9 f) (17 + V188)/3 
16. Suppose that a = (a + a/b) /c, where a, b, and c are integers, b > 0, and b is not a perfect 
square. Show that « is a reduced quadratic irrationality if and only if 0 <a < Vb and 
Jb-—a<c<WVJVb+a<2b. 
17. Show that if a is a reduced quadratic irrationalities, then —1/a’ is also a reduced quadratic 
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* 18. Let k be a positive integer. Show that there are not infinitely many positive integers D, such 
that the simple continued fraction expansion of sD has a period of length k. (Hint: Let a, = 
2, ay = 5, and for k > 3, let a, = 2a,_, + az_>. Show that if D = (ta, + 1)* + 2ta,_, +1, 
where t is a nonnegative integer, then /D has a period of length k + 1.) 

* 19, Let k be a positive integer. Let D, = (3" + 1)? + 3. Show that the simple continued fraction 
of VD has a period of length 6k. 


Computations and Explorations 


1. Find the simple continued fraction of ./100,007, ./1,000,007, and ./10,000,007. 
2. Find the smallest positive integer D such that the length of the period of the simple continued 
fraction of VD is 10, 100, 1000, and 10,000. 


3. Find the length of the largest period of the simple continued fraction of ’D, where D is a 
positive integer less than 1003, less than 10,000, and less than 100,000. Can you make any 
conjectures? 


4. Look for patterns in the continued fractions of /D for many different values of D. 


Programming Projects 


* 1. Find the quadratic irrationality that is the value of a periodic simple continued fraction. 


2. Find the periodic simple continued fraction expansion of a quadratic irrationality. 


12.5 Factoring Using Continued Fractions 


We can factor the positive integer n if we can find positive integers x and y such that 
x* — y*=nandx — y £1. Thisis the basis of the Fermat factorization method discussed 
in Section 3.6. However, it is possible to factor n if we can find positive integers x and 
y that satisfy the weaker condition 


(12.20) x*=y*(modn), O<y<x<n, and x+yn. 


To see this, note that if (12.20) holds, then n divides x2 — y? = (x + y)(x — y), andn 
divides neither x — y nor x + y. It follows that (n, x — y) and (n, x + y) are divisors 
of n that do not equal 1 or n. We can find these divisors rapidly using the Euclidean 
algorithm. 


Example 12.17. Note that 29% — 17* = 841 — 289 = 552 =0 (mod 69). Because 
292 — 17% = (29 — 17)(29 + 17) =0 (mod 69), both (29 — 17, 69) = (12, 69) and 
(29 + 17, 69) = (46, 69) are divisors of 69 not equal to either 1 or 69; using the Eu- 
clidean algorithm, we find that these factors are (12, 69) = 3 and (46, 69) = 23. < 


The continued fraction expansion of ,/n can be used to find solutions of the con- 
gruence x” = y” (mod n). The following theorem is the basis for this. 
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Theorem 12.24. Let n be a positive integer that is not a perfect square. Define a, = 
(Py + /n)/Qx, ag = [oy], Peri = 4% Qx — Py, and Op41= (n — PP, ,)/Qy, for k= 
0, 1, 2,..., where a = ./n. Furthermore, let p;/q, denote the kth convergent of the 
simple continued fraction expansion of ,/n. Then 


et 


Pe —ngg = (-1)* "Opa. 


The proof of Theorem 12.24 depends on the following useful lemma. 


Lemma 12.6. Letr +s,./n =t + u/n, where r, s, t, and u are rational numbers and 
n is a positive integer that is not a perfect square. Then r = ¢ and s = u. 


Proof. Becauser + s./n=t + u,/n, we see that if s 4 u, then 


—t 
vn =- 


u—s 


Because (r — t)/(u — s) is rational and ./n is irrational, it follows that s =u and, 
consequently, that r =f. rT 


We can now prove Theorem 12.24. 
Proof. Because ./n = ag = [a3 41, Az, ... , Ag; 0,44], Theorem 12.9 tells us that 
7 a Mk+IPh + Pr-1 
OK 419k + Qk-1 
Because o,44 = (Pett a Jn) /Qxy+1, we have 
— (Pegi V1) Pet Dey Pe 
(Peart V1) 4, + Qe 19-1 
Therefore, we see that 
ngg + (Preside + Qe419e-DVN = (Pes iPe + Qe+1Pe—1) + Pern. 


By Lemma 12.6, we see that ng, = Pri iPe+ Qp41PR—1 aNd Pps ige + QOk419K—1 = Pk: 
When we multiply the first of these two equations by g; and the second by p;, subtract 
the first from the second, and then simplify, we obtain 


Pe a nq? = (Ped — Pe—-19k) Qe. = (—D* Ona, 
where we have used Theorem 12.10 to complete the proof. rT] 


We now outline the technique known as the continued fraction algorithm for fac- 
toring an integer n, which was proposed by D. H. Lehmer and R. E. Powers in 1931, 
and further developed by J. Brillhart and M. A. Morrison in 1975 (see [LePo31] and 
[MoBr75] for details). Suppose that the terms p;,, g,, Q;, a,, and a, have their usual 
meanings in the computation of the continued fraction expansion of ./n. By Theorem 
12.24, it follows that for every nonnegative integer k, 


pe = (-1)*'Q,,; (mod n), 
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where p; and Q;., are as defined in the statement of the theorem. Now, suppose that k 
is odd and that Q;,, is a square, that is, Q,4, = s”, where s is a positive integer. Then 
Py = s* (mod n), and we may be able to use this congruence of two squares modulo 
n to find factors of n. Summarizing, to factor n we carry out the algorithm described 
in Theorem 12.10 to find the continued fraction expansion of ./n. We look for squares 
among the terms with even indices in the sequence {Q;}. Each such occurrence may lead 
to a nonproper factor of n (or may just lead to the factorization n = 1- n). We illustrate 
this technique with several examples. 


Example 12.18. We can factor 1037 using the continued fraction algorithm. Take a = 
1037 = (0 + /1037)/1 with Py = 0 and Qy = 1, and generate the terms P;,, Q,, a, 
and a;. We look for squares among the terms with even indices in the sequence {Q;}. 
We find that Q, = 13 and Q, = 49. Because 49 = 7? is a square, and the index of 
Q> is even, we examine the congruence pr = (—1)?Q, (mod 1037). Computing the 
terms of the sequence { p;}, we find that p; = 129. This gives the congruence 129? = 49 
(mod 1037). Hence, 1292 — 7? = (129 — 7)(129 + 7) = 0 (mod 1037). This produces the 
factors (129 — 7, 1037) = (122, 1037) = 61 and (129 + 7, 1037) = (136, 1037) = 17 of 
1037. < 


Example 12.19. We can use the continued fraction algorithm to find factors of 
1,000,009 (we follow computations of [Ri85]). We have Q, = 9, Q. = 445, Q3 = 873, 
and Q, = 81. Because 81 = 9 is a square, we examine the congruence py =(-1)'Q, 
(mod 1,000,009). However, p3 = 2,000,009 = —9 (mod 1,000,009), so that p3 + 9 is 
divisible by 1,000,009. It follows that we do not get any proper factors of 1,000,009 from 
this. 


We continue until we reach another square in the sequence {Q;} with k even. This 
happens when k = 18 with Q)g = 16. Calculating p,7 gives p,7 = 494,881. From the 
congruence oe = (- 180.8 (mod 1,000,009), we have 494,8812 = 
4? (mod 1,000,009). It follows that (494881 — 4, 1000009) = (494877, 1000009) = 293 
and (494881 + 4, 1000009) = (494885, 1000009) = 3413 are factors of 1,000,009. < 


More powerful techniques based on continued fraction expansions are nown. These 


are described in [Di84], [Gu75], and [WaSm87]. We describe one such generalization in 
the exercises. 


EXERCISES 


1. Find factors of 119 using the congruence 197 = 2? (mod 119). 
2. Factor 1537 using the continued fraction algorithm. 
. Factor the integer 13,290,059 using the continued fraction algorithm. (Hint: Use a computer 


program to generate the integers Q; for the continued fraction for 13,290,059. You will 
need more than 50 terms.) 


. Let n be a positive integer and let p,, po, ..., and p,, be primes. Suppose that there exist 


integers x), X,..., x, such that 
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Decimal Fractions and Continued Fractions 


ie? = (—1)% pi"! re p,m'(mod n), 


i = (—1)%p)? --- p&2(mod n), 


x? = (—1)* pi”... pv (mod n), 
where 
€o1 + €o2 +++ + + eo, = 2€ 
ey teygt---+ey = 2e, 


Cnt ema te ep = Zens 


Show that x? = y? (mod n), where x = x,x2-++-x, and y = (—1)%pj'--- pr. Explain how 
to factor n using this information. Here, the primes p,, ..., p,, together with —1, are called 
the factor base. 


. Show that 143 can be factored by setting x; = 17 and x2 = 19, taking the factor base to be 


{3, 5}. 
kij 
. Let n be a positive integer and let p;, p2,..., p, be primes. Suppose that Q;, = ja D 
fori =1,...,t, where the integers Q ; have their usual meaning with respect to the continued 


fraction of ./n. Explain how n can be factored if Be k; is even and par k;; is even for 
ye ee Serer ae 


. Show that 12,007,001 can be factored using the continued fraction expansions of 


12,007,001 with factor base —1, 2, 31, 71, 97. (Hint: Use the factorizations Q, = 2? - 97, 
O12 = 2* - 71, Qog = 2"', O34 = 31- 97, and Q4, = 31-71, and show that po p11 P27P33P40 = 
9,815,310.) 


. Factor 197,209 using the continued fraction expansion of ./197,209 and factor base 2, 3, 5. 


Computations and Explorations 


1. Use the continued fraction algorithm to factor F7 = 22" 41. 


2. Use the continued fraction algorithm to find the prime factorization of Nj, where N; is the 


jth term of the sequence defined by N, = 2, Nj; = pip2--- p; + 1, where p, is the largest 
prime factor of N;. (For example, N» = 3, N3 = 7, N4 = 43, Ns = 1807, and so on.) 


Programming Projects 


1. Factor positive integers using the continued fraction algorithm. 


2. Factor positive integers using factor bases and continued fraction expansions (see Exercise 


6). 


13 some Nonlinear Diophantine 
Equations 


n equation with the restriction that only integer (or sometimes rational) solutions 

are sought is called a diophantine equation. We have already studied a simple type 
of diophantine equation, namely, linear diophantine equations (Section 3.6). We learned 
how all solutions in integers of a linear diophantine equation can be found. But what 
about nonlinear diophantine equations? 


It is a deep theorem (beyond the scope of this text) that there is no general method 
for solving all nonlinear diophantine equations. However, many results have been es- 
tablished about particular nonlinear diophantine equations, as well as certain families 
of nonlinear diophantine equations. This chapter addresses several types of nonlinear 
diophantine equations. First, we will consider the diophantine equation x” + y? = z”, 
satisfied by the lengths of the sides of a right triangle. A triple of integers (x, y, z) that 
solves this equation is called a Pythagorean triple. After finding an explicit formula for 
Pythagorean triples, we will show this formula can be found by determining all the points 
(x, y) on the unit circle with rational coefficients using geometric reasoning. 


After studying the diophantine equation x? + y? = z”, we will consider the famous 


diophantine equation x” + z” = z”, where n is an integer greater than 2. That is, we will 
be interested in whether the sum of the nth powers of two integers can also be the nth 
power of an integer, where none of the three integers equals 0. Fermat stated that there 
are no solutions of this diophantine equation when n > 2 (a statement known as Fermat’s 
last theorem), but for more than 350 years no one could find a proof. The first proof of 
this theorem was discovered by Andrew Wiles in 1995, which ended one of the greatest 
challenges of mathematics. The proof of Fermat’s last theorem is far beyond the scope 
of this book, but we will be able to provide a proof for the case when n = 4. 


Next, we will consider the problem of representing integers as the sums of squares. 
We will determine which integers can be written as the sum of two squares. Furthermore, 
we will prove that every positive integer is the sum of four squares. 


We will also study the diophantine equation x” — dy” = 1, known as Pell’s equation. 
We will show that the solutions of this equation can be found using the simple continued 
fraction of Vd, providing another example of the usefulness of continued fractions. 


Finally, we will study the famous congruent number problem, which asks which 
integers are the area of a right triangle with sides of integer length. Progress on this 
ancient problem has been made in recent years through the use of elliptic curves, a type of 
cubic diophantine equation. We will show how finding rational points on certain elliptic 
curves can be used to study the congruent number problem. 
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Pythagorean Triples 


The Pythagorean theorem tells us that the sum of the squares of the lengths of the legs 
of a right triangle equals the square of the length of the hypotenuse. Conversely, any 
triangle for which the sum of the squares of the lengths of the two shortest sides equals 
the square of the third side is a right triangle. Consequently, to find all right triangles with 
integral side lengths, we need to find all triples of positive integers (x, y, z) satisfying 
the diophantine equation 


(13.1) x+y? =z’, 


Triples of positive integers satisfying this equation are called Pythagorean triples after 
the ancient Greek mathematician Pythagoras. Similarly, we call a right triangle with 
integer side lengths a Pythagorean triangle. 


Example 13.1. The triples (3, 4, 5), (6, 8, 10), and (5, 12, 13) are Pythagorean triples 
because 32 + 42 = 52, 62 + 82 = 102, and © + 122 = 132. < 


Unlike most nonlinear diophantine equations, it is possible to explicitly describe all 
the integral solutions of (13.1). Before developing the result describing all Pythagorean 
triples, we need a definition. 


Definition. A Pythagorean triple (x, y, z) is called primitive if x, y, and z are relatively 
prime, that is, if (x, y, z) = 1. We calla triangle a primitive right triangle if its sides have 
lengths from a primitive Pythagorean triple. 


Remark. Unfortunately, the notation (x, y, z) can denote the ordered triple of numbers 
x, y, and z or the greatest common divisor of x, y, and z. Fortunately, the context in 
which this notation is used will always make it clear which meaning is intended. 


After extensive travels and studies, Pythagoras founded his famous school at 
f ht e the Greek port of Crotona, in what is now southern Italy. Besides being an 
gf -& 


a? + b? = c?, wherea, b, andc are the lengths of the two legs and of the hypotenuse of aright triangle, 
respectively. The @ythagoreans believed that the key to understanding the world lay with aatural 
numbers and form. Their central tenet was “Everything is Number.” Because of their fascination with 
the natural numbers, the Pythagoreans made many discoveries in number theory. In particular, they 
studied perfect aumbers and amicable numbers for the mystical properties they felt these numbers 
possessed. 


PYTHAGORAS (c. 572-c. 500 B.c.E.) was born on the Greek island of Samos. 


academy devoted to the study of mathematics, philosophy, and science, the 
re school was the site of a brotherhood sharing secret rites. The Pythagoreans, as 
OP the members of this brotherhood were called, published nothing and ascribed all 
ce their discoveries to Pythagoras himself. However, it is believed that ythagoras 
himself discovered what is now called the Pythagorean theorem, namely, that 
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Example 13.2. The Pythagorean triples (3, 4, 5) and (5, 12, 13) are primitive, whereas 
the Pythagorean triple (6, 8, 10) is not. < 


Let (x, y, z) be a Pythagorean triple with (x, y, z) =d. Then there are integers 
X41, Yj, 2, with x = dx,, y = dy, z = dz), and (xj, y;, Z1) = 1. Furthermore, because 


x24 y2= 2? 
we have 
(x/d)? + (y/d)” = @/d)’, 
so that 
Xe + y; = zi. 


Hence, (xj, yj, Z1) is a primitive Pythagorean triple, and the original triple (x, y, z) is 
simply an integral multiple of this primitive Pythagorean triple. 


Also note that any integral multiple of a primitive (or for that matter any) 
Pythagorean triple is again a Pythagorean triple. If (x, y), z,) is a primitive Pythagorean 
wiple, then we have 


xityp=Z, 
and hence, 
(dx) + (dy)* = dz)’, 
so that (dx,, dy,, dz,) is a Pythagorean triple. 


Consequently, all Pythagorean triples can be found by forming integral multiples of 
primitive Pythagorean wiples. To find all primitive Pythagorean triples, we need some 
lemmas. The first lemma tells us that any two integers of a primitive Pythagorean triple 
are relatively prime. 


Lemma 13.1. If (x, y, z) is a primitive Pythagorean wiple, then (x, y) = (x, Zz) = 
QVy,z2=l1. 


Proof. Suppose that (x, y, z) is a primitive Pythagorean triple and (x, y) > 1. Then, 
there is a prime p such that p | (x, y), so that p | x and p| y. Because p|x and p|y, 
we lanow that p | (x? + y?) =z”. Because p | z”, we can conclude that p | z. This is a 
contradiction, because (x, y, z) = 1. Therefore, (x, y) = 1. In a similar manner, we can 
easily show that (x, z) = (y, z) =1. | 


Next, we establish a lemma about the parity of the integers of a primitive Pythago- 
rean triple. 
Lemma 13.2. If (x, y, z) is a primitive Pythagorean triple, then x is even and y is odd 
or x is odd and y is even. 


Proof. Let (x, y, z) be a primitive Pythagorean triple. By Lemma 13.1, we know that 
(x, y) = 1, so that x and y cannot both be even. Also, x and y cannot both be odd. If x 
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and y were both odd, then we would have 
2 = y? =1(mod 4), 
so that 
2x4 y* = 2 (mod 4). 
This is impossible. Therefore, x is even and y is odd, or vice versa. = 


The final lemma that we need is a consequence of the fundamental theorem of 
arithmetic. It tells us that two relatively prime integers that multiply together to give 
a square must both be squares. 


Lemma 13.3. If 7,5, and ¢ are positive integers such that (7, s) = 1 andrs = t?, then 
there are integers m and n such that r = m? and s =n’. 


Proof. Ifr =1ors = 1, then the lemma is obviously true, so we may suppose that r > 1 
and s > 1. Let the prime-power factorizations of 7, s, and t be 


— 1 42 a 
r= P; P» oat Wan 

— pfutl ,%42 | pa 
s= Putt Py42° Pp,” 


and 
b, _b 
t =41'q)°° “a - 
Because (r, s) = 1, the primes occurring in the factorizations of r and s are distinct. 
Because rs = t”, we have 


PUP + DEC Pye °° Pe? = 9,92 Oe 
From the fundamental theorem of arithmetic, the prime powers occurring on the two 
sides of the above equation are the same. Hence, each p; must be equal to q; for some 
j with matching exponents, so that a; = 2b;. Consequently, every exponent a; is even, 
and therefore a;/2 is an integer. We see that r = m” and s = n”, where m and n are the 
integers 


_ 44/2 ay/2 a,/2 
m= P P> eifewre aul 
and 
ay 41/2 Ay+2/2 .. petv/2 
N= Pyti Py42 Py 7 a 


We can now prove the desired result that describes all primitive Pythagorean triples. 


Theorem 13.1. Thetriple (x, y, z) of positive integers is a primitive Pythagorean triple, 
with y even, if and only if there are relatively prime positive integers m and n, m > n, 
with m odd and n even or m even and n odd, such that 


x =m’ —n’, 
y = 2mn, 


z=m +n’. 
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Proof. Let (x, y, z) be a primitive Pythagorean triple. We will show that there are 
integers m and n as specified in the statement of the theorem. Lemma 13.2 tells us that 
x is odd and y is even, or vice versa. Because we have assumed that y is even, x and z 
are both odd. Hence, z + x and z — x are both even, so that there are positive integers r 
and s with r = (z+ x)/2 ands = (z — x)/2. 


Because x” + y- = 2”, we have y? = z*—x*=(z+x)(z — x). Hence, 


0) (C2) =" 


We note that (7, s) = 1. To see this, let (r, s) = d. Becaused |r andd|s,d|(r+s)=z 
and d | (r — s) = x. This means that d | (x, z) = 1, so that d = 1. 


Using Lemma 13.3, we see that there are positive integers m and n such that r = m? 


and s =n’. Writing x, y, and z in terms of m and n, we have 


x=r—s=m*—n’, 


y=v4rs = V4m2n2 = 2mn, 


z=rt+s=m? +n’. 


We also see that (m, n) = 1, because any common divisor of m and n must also divide 
x =m? —n?, y = 2mn, and z= m2 + n2, and we know that (x, y, 2) = 1. We also note 
that m and n cannot both be odd, for if they were, then x, y, and z would all be even, 
contradicting the condition (x, y, z) = 1. Because (m, n) = 1 and m and n cannot both 
be odd, we see that m is even and n is odd, or vice versa. This shows that every primitive 
Pythagorean triple has the appropriate form. 


To complete the proof, we must show that every triple (x, y, z) with 


x =m? —n’, 
y = 2mn, 
z=m +n’, 


where m and n are positive integers m > n, (m,n) = 1, andm #n (mod 2), is a primitive 
Pythagorean wiple. First, note that m2 — n?, 2mn, m2 + n? forms a Pythagorean triple 
because 


x7 + y- = (m2 - n°) + (2mn)" 
= (m* — 2m?n? + n*) + 4m?n? 
= m* + 2m?n? + n4 
= (m2 +n?) 
= 2”. 
To see that this wiple forms a primitive Pythagorean wiple, we must show that these 
values of x, y, and z are mutually relatively prime. Assume for the sake of contradiction 


that (x, y, z) =d > 1. Then there is a prime p | (x, y, z). We note that p 4 2, because 
x is odd (because x = m? — n”, where m? and n? have opposite parity). Also, note that 
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because p | x and p|z, p|(z +x) = 2m? and p | (z — x) = 2n”. Hence, p| mand p|n, 
contradicting the fact that (m, n) = 1. Therefore, (x, y, z) = 1, and (x, y, z) isa primitive 
Pythagorean triple, concluding the proof. 7 


The following example illustrates the use of Theorem 13.1 to produce a Pythagorean 
triple. 


Example 13.3. Let m =5 and n = 2, so that (m, n) = 1, m #n (mod 2), andm > n. 
Hence, Theorem 13.1 tells us that (x, y, z) with 


x=m—n?=5?-2?=21, 
y=2mn=2-5-2=20, 
z=m +n? =574+27=29 
is a primitive Pythagorean triple. < 


We list the primitive Pythagorean triple generated using Theorem 13.1 with m <6 
in Table 13.1. 


Rational Points on the Unit Circle 


We now turn our attention to a problem in diophantine geometry, the subject of finding 
points on algebraic curves whose coordinates are all integers or are all rational numbers. 
Points with rational coefficients on a curve are called rational points on this curve. We 
will find all rational points on the unit circle x? + y* = 1 using geometric reasoning. 


An immediate benefit of finding all rational points on the unit circle is that we can 
find all Pythagorean triples from these rational points. To see the relationship between 
Pythagorean triples and rational points on the unit circle, first suppose that a, b, and c 
are integers with c 4 0 and a? + b* = c? (so that (a, b, c) is a Pythagorean triple when 
these integers are positive). Dividing both sides of this equation by c, we obtain 


(a/c)* + (b/c)? = 1. 


m n x =m? —n? y=2mn 
2 1 3 4 
3 2 5 12 
4 1 15 8 
4 3 7 24 
5 2 21 20 
5 4 9 40 
6 1 35 12 
6 5 11 60 


Table 13.1 Some primitive Pythagorean triples. 
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Hence, the point (a/c, b/c) is a rational point on the unit circle x? + y? = 1, so that every 
Pythagorean tiple has an associated rational point on the unit circle. 


Conversely, suppose that the point (x, y) is a rational point on the unit circle, so 
that x? + y? = 1 where x and y are rational numbers. Because both x and y are rational 
numbers, we can express each as a ratio of two integers where the denominator is not 
zero. By choosing the least common denominator for these rational numbers, we can 
write x = a/c and y = b/c where a, b, and c are integers with c 4 0 and 


(a/c)? + (b/c)? = 1. 


Multiplying both sides by c? tells us that a* + b* = c*. So, if a and b are both positive, 
then (a, b, c) is a Pythagorean triple. 


We now use some simple ideas from geometry to find the rational points on the unit 
circle. First, note that the points (0, 1), (0, —1), (1, 0), and (—1, 0) are rational points 
on this circle. Of these four points, we choose the point (—1, 0) to begin our work. Next, 
observe that if (x, y) is a point with rational coefficients in the plane, then the slope of the 
line between (x, y) and (—1, 0) is t = y/(x + 1), which is also rational. Now suppose 
that ¢ is rational number and consider the line y = t(x + 1) that goes through (—1, 0). 
We will show that this line intersects the unit circle in a second rational point (see Figure 
13.1). This will allow us to parameterize all rational points of the unit circle other than 
(—1, 0) in terms of the rational number ¢. (In general, the parameterization of a curve is 
the specification of the points on this curve in terms of one or more variables.) 


2t 
(-1, 0) "14+? 


Figure 13.1 Parameterizing rational points on the unit circle. 


To find the intersection of the line y = t(x + 1) with the unit circle x + y” = 1, we 
substitute t(x + 1) for y in the equation for this circle and solve for x. We find that 


x4 P(x+ 172 =1. 
We next subsract 1 from both sides and factor x? — 1 to obtain 
?-DN+ 2x4 )2?=%4 Dx-N+27(~%4+)2=0. 
Factoring out the common factor x + 1 tells us that 


(x+D[~—-)+2(x+D)]=0. 
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We note that x = —1 is a solution; this is no surprise because (—1, 0) is on the line. The 
other solution is found by solving 


(x -D+(x+1)=0 


for x. This gives x = (1 — t”)/(1 + t”). We find the corresponding value for y using the 
equation of the line y = t(x + 1). This tells us that 


1-12 1-1? =) ot 
=t(x+l1l)=t ee ss ee ee ee ee 
va ) GS ) (5 1+ 12 1+ 12 


We conclude that the one point of intersection of the line y = t(x + 1) with the unit 


circle is the point (LS : ar): This is a rational point when ¢ is rational, because both 
of its coordinates are rational functions of ¢ (and rational functions of a rational number 
t are rational because they are the quotient of two polynomials in t, and products, sums, 
and quotients of rational numbers are rational). 


We have found all the rational points on the unit circle, namely, (—1, 0) and all 
points of the form (Fs =, ; it) where ¢ is rational. 


When we take t = m/n, where m and n are positive integers, in the parameterization 
we have found for the rational points on the unit circle, we obtain a formula for all 


Pythagorean triples. That is, given positive integers m and n, we obtain the rational 


, 2.2 
point (45 mn? : Hit ) on the unit circle. From our earlier comments, we see that (m? — 


n?, 2mn, m2 +n?) is a Pythagorean triple. 


Note that when we found the rational points on the unit circle, we found the rational 
points on an algebraic curve of the form f(x, y) = 0 where f(x, y) is a polynomial with 
integer coefficients. This is an important type of diophantine problem. By expressing the 
rational points in terms of the rational number tf, we gave a rational parameterization of 
this curve. See Exercises 21—24 for additional examples of rational parameterizations of 
algebraic curves. 


EXERCISES 


. a) Find all primitive Pythagorean triples (x, y, z) with z < 40. 


b) Find all Pythagorean triples (x, y, z) with z < 40. 


. Show that if (x, y, z) is a primitive Pythagorean triple, then either x or y is divisible by 3. 


. Show that if (x, y, z) is a primitive Pythagorean triple, then exactly one of x, y, and z is 


divisible by 5S. 


. Show that if (x, y, z) is a primitive Pythagorean triple, then at least one of x, y, and z is 


divisible by 4. 


. Show that every positive integer greater than 2 is part of at least one Pythagorean triple. 


Let x; = 3, y1 =4, 21 =S, and let x, y,, Zn, forn = 2, 3, 4, ..., be defined recursively by 
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Xn41 = 3X%q + 22y + 1, 

Yai = 3X, + 22, +2, 

Zn41 = 4Xn + 32, +2. 
Show that (x,,, y,, Z,) is a Pythagorean triple. 


. Show that if (x, y, z) is a Pythagorean triple with y = x + 1, then (x, y, z) is one of the 


Pythagorean triples given in Exercise 6. 


8. Find all solutions in positive integers of the diophantine equation x? + 2y? = z?. 


9. Find all solutions in positive integers of the diophantine equation x? + 3y? = 2?. 


. Find all solutions in positive integers of the diophantine equation w? + x? + y? = z?. 

. Find all Pythagorean triples containing the integer 12. 

. Find formulas for the integers of all Pythagorean wiples (x, y, z) withhz=y+1. 

. Find formulas for the integers of all Pythagorean wiples (x, y, z) with z= y +2. 

. Show that the number of Pythagorean triples (x, y, z) (with x? + y* = z*) witha fixed integer 


x is (t(x) — 1)/2 if x is odd, and (t(x2/4) — 1)/2 if x is even. 


. Find all solutions in positive integers of the diophantine equation x” + py? = z, where p is 


a prime. 


. Find all solutions in positive integers of the diophantine equation 1/x? + 1/y? = 1/2’. 
. Show that (fi, fna3> 2fn+iSn+2> oe + F249) is a Pythagorean triple, where f;, denotes the 


kth Fibonacci number. 


. Find the length of the sides of all right wiangles, where the sides have integer lengths and the 


area equals the perimeter. 


. Find all rational points on the unit circle x* + y? = 1 by determining the intersection of a line 


with rational slope ¢t that goes through the point (1, 0) with the unit circle. 


. Find all rational points on the unit circle x? + y? = 1 by determining the intersection of a line 


with rational slope t that goes through (0, 1) with the unit circle. 


. Find all rational points on the circle x? + y? = 2 by determining the intersection of a line 


with rational slope ¢ that goes through (1, 1) with this circle. 


. Find all rational points on the ellipse x” + 3y? = 4 by determining the intersection of a line 


with rational slope ¢ that goes through (1, 1) with this ellipse. 


. Find all rational points on the ellipse x? + xy + y* = 1 by determining the intersection of a 


line with rational slope ¢ that goes through the point (—1, 0) with this ellipse. 


. Suppose that d is a positive integer. Find all rational points on the hyperbola x? — dy” = 1 by 


determining the intersection of a line with rational slope ¢ that goes through the point (—1, 0) 
on the hyperbola. 


. Show that there are no rational points on the circle x” + y? = 3. 
. Show that there are no rational points on the circle x? + y? = 15. 


. Find all rational points on the unit sphere x? + y? + 2” = 1. (Hint: Use the stereographic 


projection of the unit sphere to the plane z = 0. This projection maps the point (x, y, z) 
on the sphere to the a point (u, v, 0) that is the intersection of the line through this point 
and (0, 0, 1), the north pole of the sphere, and the plane z = 0. Parameterize the rational 
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points on the unit sphere using two rational parameters u and v corresponding to this point 
of intersection.) 


Computations and Explorations 


1. 


Find as many Pythagorean triples (x, y, z) as you can, where each of x, y, and z is 1 less 
than the square of an integer. Do you think that there are infinitely many such triples? 


. Let A(n) denote the number of primitive Pythaogrean triples with hypotenuse less than n. Find 


A(10') for 1 <i < 6. By examining A(10‘)/10' for these values of i, formulate a conjecture 
for the value approached by A(n)/n as n grows without bound. 


Programming Projects 


1. 


Given a positive integer n, find all Pythagorean triples containing n. 


2. Given a positive integer n, find all Pythagorean triples with hypotenuse < n. 


3. Given a positive integer n, find the number of primitive Pythagorean triples with hypotenuse 


<n. 


Fermat’s Last Theorem 


In the previous section, we showed that the diophantine equation x? + y? = z? has 
infinitely many solutions in nonzero integers x, y, z. What happens when we replace 
the exponent 2 in this equation with an integer greater than 2? Next to the discussion of 
the equation x” + y? = z” in his copy of the works of Diophantus, Fermat wrote in the 
margin: 


However, it is impossible to write a cube as the sum of two cubes, a fourth power 
as the sum of two fourth powers and in general any power as the sum of two similar 
powers. For this I have discovered a truly wonderful proof, but the margin is too 
small to contain it. 


Fermat did have a proof of this theorem for the special case of n = 4. We will present 
a proof for this case, using his basic methods, later in this section. Although we will 
never know for certain whether Fermat had a proof of this result for all integers n > 2, 
mathematicians believe it is extremely unlikely that he did. By 1800, all other statements 
that he made in the margins of his copy of the works of Diophantus were resolved; some 
were proved and some were shown to be false. Nevertheless, the following theorem is 
called Fermat’s last theorem. 


Theorem 13.2. Fermat’s Last Theorem. ‘The diophantine equation 


has no solutions in nonzero integers x, y, and z when nv is an integer with n > 3. 
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Note that if we could show that the diophantine equation 


has no solution in nonzero integers x, y, and z whenever p is an odd prime, we would 
lanow that Fermat’s last theorem is true (see Exercise 2 at the end of this section). 


The quest for a proof of Fermat’s last theorem challenged mathematicians for more 
than 350 years. Many great mathematicians have worked on this problem without ul- 
timate success. However, a long series of interesting partial results was established, 
and new areas of number theory were born as mathematicians attempted to solve this 
problem. The first major development was Euler’s proof in 1770 of Fermat’s last theo- 
rem for the case n = 3. (That is, he showed that there are no solutions of the equa- 
tion x3 + y? = z? in nonzero integers.) Euler’s proof contained an important error, but 
Legendre managed to fill in the gap soon afterward. 


C) In 1805, French mathematician Sophie Germain proved a general result about 
Fermat’s last theorem, as opposed to a proof for a particular value of the exponent n. 
She showed that if p and 2p + 1 are both primes, then x? + y? = z? has no solutions in 
integers x, y, and z, with xyz #0 when p / xyz. As a special case, she showed that if 
x° + y? =z°, then one of the integers x, y, and z must be divisible by 5. In 1825, both 
Dirichlet and Legendre, in independent work, completed the proof of the case when 
n = 5, using the method of infinite descent used by Fermat to prove the n = 4 case (and 
which we will demonstrate later in this section). Fourteen years later, the case of n = 7 
was settled by Lamé, also using a proof by infinite descent. 


In the mid-nineteenth century, mathematicians took some new approaches in at- 

tempts to prove Fermat’s last theorem for all exponents n. The greatest success in this 

ei direction was made by the German mathematician Ernst Kummer. He realized that a 
potentially promising approach, based on the assumption that unique factorization into 
primes held for certain sets of algebraic integers, was doomed to failure. Toovercome this 
difficulty, Kammer developed a theory that supported unique factorization into primes. 

His basic idea was the concept of “ideal numbers.” Using this concept, Kummer could 


SOPHIE GERMAIN (1776-1831) wasbomin Parisand educated at home, us- 
ing her father’s extensive library as a resource. She decided as a young teenager 
to study mathematics when she discovered that Archimedes was murdered by 
the Romans. She started by reading the works of Euler and Newton. Although 
Germain did not attend classes, she learned from university course notes that she 
managed to obtain. After reading the notes from Lagrange’s lectures, she sent 
him a letter under the pseudonym M. Leblanc. Lagrange, impressed with the 
insights displayed in this letter, decided to meet M. Leblanc; he was surprised 
to find that its author was a young woman. Germain corresponded under the pseudonym M. LeBlanc 
with many mathematicians, including Legendre, who included many of her discoveries in his book 
Theorie des Nombres. She also made important contributions to the mathematical theories of elasticity 
and acoustics. Gauss was impressed by her work and recommended that she receive a doctorate from 
the University of Géttingen. Unfortunately, she died just before she was to receive this degree. 
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prove Fermat’s last theorem for a large class of primes called regular primes. Although 
there are primes, and perhaps infinitely many primes, that are irregular, Kummer’s work 
showed that Fermat’s last theorem was true for many values of n. In particular, Kum- 
mer’s work showed that Fermat’s last theorem was true for all prime exponents less than 
100 other than 37, 59, and 67, because these are the only primes less than 100 that are ir- 
regular. Kummer’s introduction of “ideal numbers” gave birth to the subject of algebraic 
number theory, which blossomed into a major field of study, and to the part of abstract 
algebra known as ring theory. The exponents Kummer’s work did not address—37, 59, 
67, and other relatively irregular primes—fell to a variety of more powerful techniques 
in subsequent years. 


In 1983, the German mathematician Gerd Faltings managed to show that x” + y” = 
z”™ can have only a finite number of solutions in nonzero integers for a fixed positive 
integer n > 3. Of course, if this finite number could have been shown to be zero for all 
integers n > 3, Fermat’s last theorem would have been proved. The path to the ultimate 
proof of Fermat’s last theorem began in 1986 when the German mathematician Gerhard 
Frey made the first connection of Fermat’s last theorem to the subject of elliptic curves. 
His remarkable work surprised mathematicians by linking two seemingly unrelated 
areas. 


Computers were used to run several different numerical tests that could verify that 
Fermat’s last theorem was true for particular values of n. By 1977, Sam Wagstaff used 
such tests (and several years of computer time) to verify that Fermat’s last theorem held 
for all exponents n with n < 125,000. By 1993, such tests had been used to verify that 


ERNST EDUARD KUMMER (1810-1893) was born in Sorau, Prussia (now 
Germany). His father, a physician, died in 1813. Kummer received private 
tutoring before entering the Gymnasium in Sorau in 1819. In 1828, he entered 
the University of Halle to study theology; bis training for philosophy included 
the study of mathematics. Inspred by his mathematics instructor, H. F. Scherk, 
he switched to mathematics as his major field of study. Kummer was awarded 
a doctorate from the University of Halle in 1831, and began teaching at the 
Gymnasium in Sorau, his old school, that same year. The following year he took 


a similar position teaching at the Gymnasium in Liegnitz (now the Polish city of Legnica), holding 
the post for ten years. His research on topics in function theory, including extensions of Gauss’s work 
on hypergeometric series, attracted the attention of leading German mathematicians. They worked to 
find him a university position. 

In 1842, Kummer was appointed to a position at the University of Breslau (now Wroclaw, Poland) 
and began working on number theory. In 1843, in an attempt to prove Fermat’s last theorem, he 
introduced the concept of “ideal numbers.” Although this did not lead to a proof of Fermat’s last 
theorem, Kummer’s ideas led to the development of new areas of abstract algebra and the new subject 
of algebraic number theory. In 1855, he moved to the University of Berlin, where he cemained until 
bis retirement in 1883. 

Kummer was a popular instructor. He was noted for the clarity of his lectures as well as his sense 
of humor and concem for his students. He was married twice. His first wife, the cousin of Dirichlet’s 
wife, died in 1848, eight years after she and Kummer were married. 
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Fermat’s last theorem was true for all exponents n with n < 4- 10°. However, at that 
time, no proof of Fermat’s last theorem seemed to be in sight. 


Then, in 1993, Andrew Wiles, a professor at Princeton University, shocked the 
mathematical world when he showed that he could prove Fermat’s last theorem. He did 


smmz 4ANDREW WILES (b. 1953) became interested in Fermat’s last theorem at 

a the age of 10 when, during a visit to his local library, he found a book stating 
the problem. He was struck that though it looled simple, none of the great 
mathematicians could solve it, and he knew that he would never let this problem 
go. In 1971, Wiles entered Merton College, Oxford. He graduated with his B.A. 
in 1974, and entered Clare College, Cambridge, where he pursued his doctorate, 
working on the theory of elliptic curves under John Coates. He was a Research 
Fellow at Clare College and a Benjamin Pierce Assistant Professor at Harvard 
from 1977 until 1980. In 1981, he held a post at the Institute for Advanced Study in Princeton, and 
in 1982 he was appointed to a professorship at Princeton University. He was awarded a Guggenheim 
Fellowship in 1985 and spent a year studying at the Institut des Hautes Etudes Scientifique and the 
Ecole Normale Supérieure in Paris. Ironically, he did not realize that during his years of work in the 
field of elliptic curves he was learning techniques that would someday help him solve the problem 
that obsessed him. 


Wiles’s Seven-Year Quest 

In 1986, Wiles learned of work by Frey and Ribet that showed that Fermat’s last theorem fol- 
lows from a conjecture in the theory of elliptic curves, known as the Shimura-Taniyama con- 
jecture. Realizing that this led to a possible strategy for proving the theorem, he abandoned 
his ongoing research and devoted himself entirely to working on Fermat’s last theorem. 

During the first few years of this work, he talked to colleagues about his progress. How- 
ever, he decided that tallaing to others geaerated too much interest and was too distracting. 
During his seven years of concentrated, solitary work on Fermat’s last theorem, he decided 
that he only had time for “his problem" and his family. His best way to relax during time 
away from his work was to spend time with his young children. 

In 1993, Wiles revealed to several colleagues that he was close to a proof of Fermat’s 
last theorem. After filling what he thought were the remaining gaps, he presented an outline 
of his proof at Cambridge. Although there had been false alarms in the past about promising 
proofs of Fermat’s last theorem, mathematicians generally believed Wiles had a valid proof. 
However, a subtle but serious error in reasoning was found when he wrote up his results 
for publication. Wiles worked diligently, with the help of a former student, for more than a 
year, almost giving up in frustration, before he found a way to fill the gap. 

Wiles’s success has brought him countless awards and accolades. It has also brought 
him peace of mind. He has said that “having solved this problem there’s certainly a sense 
of loss, but at the same time there is this tremendous sense of freedom. I was so obsessed 
by this problem that for eight years I was thinking about it all the time—when I woke up in 
the moming to when I went to sleep at night. That particular odyssey is now over. My mind 
is at rest." 
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this in a series of lectures in Cambridge, England. He had given no hint that the subject 
of his lectures was a proof of this notorious theorem. The proof he outlined was the 
culmination of seven years of solitary work. It used a vast array of highly sophisticated 
methods related to the theory of elliptic curves. Knowledgeable mathematicians were 
impressed with Wiles’s arguments. Word began to spread that Fermat’s last theorem had 
finally been proved. However, when Wiles’s 200-page manuscript was studied carefully, 
a serious problem was found. Although it appeared for a time that it might not be possible 
to fill the gap in the proof, more than a year later, Wiles (with the help of R. Taylor) 
managed to fill in the remaining portions of the proof. In 1995, Wiles published his 
revised proof of Fermat’s last theorem, now only 125 pages long. This version passed 
careful review. Wiles’s 1995 proof marked the end of the more than 350-year search for 
a proof of Fermat’s last theorem. 


Wiles’s proof of Fermat’s last theorem is one of those rare mathematical discoveries 
covered by the popular media. An excellent NOVA episode about this discovery was 
produced by PBS (information on this show can be found at the PBS Web site). Another 
source of general information about the proof is Fermat’s Enigma: The Epic Quest to 
Solve the World’s Greatest Mathematical Problem by Simon Singh ([S197)]. A thorough 
treatment of the proof, including the mathematics of elliptic curves used in it, can 
be found in [CoSiSt97]. The original proof by Wiles was published in the Annals of 
Mathematics in 1995 ([Wi95]). 


The Wolfskehl Prize 

There was added incentive besides fame to prove Fermat’s last theorem. In 1908, the German 
industrialist Paul Wolfskehl bequeathed a prize of 100,000 marks to the Gottingen Academy 
of Sciences, to be awarded to the first person to publish a proof of Fermat’s last theorem. 
Unfortunately, thousands of incorrect proofs were published in a vain attempt to win the 
prize, with more than 1000 published, usually as privately printed pamphlets, between 1908 
and 1912 alone. (Many people, often without serious mathematical training and sometimes 
without a clear notion of what a correct proof is, attempt to solve famous problems such 
as this one even if no prize is available.) Even though Wiles’s proof was acclaimed to be 
correct, it took two years for the Gottingen Academy of Sciences to award the Wolfskehl 
prize to Wiles; they wanted to be certain the proof was really correct. 

Contrary to rumors that the prize had been reduced by inflation to almost nothing, 
maybe even a pfennig (a German penny), Wiles received approximately $50,000. The prize 
of 100,000 marks, originally worth around $1,500,000, had been reduced to approximately 
$500,000 after World War I by German hyperinflation, and the introduction of the deutsche 
mark after World War II further reduced its value. Many people have speculated about 
why Wolfskehl left such a large prize for a proof of Fermat’s last theorem. People with a 
romantic slant enjoyed the rumor that, suicidal after being jilted by his true love, he had 
regained his will to live when he found out about Fermat’s last theorem. However, more 
realistic biographical research indicates that he donated the money to spite his wife, Marie, 
whom he was forced to marry by his family. He did not want his fortune going to her after 
he died, so instead it went to the first person who could prove Fermat’s last theorem. 
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Readers interested in leaming more about the history of Fermat’s last theorem, and 
how investigations relating to this conjecture led to the genesis of the theory of algebraic 
numbers, are encouraged to consult [Ed96], [Ri79], and [Va96]. 


The Proof for n= 4 


The proof we will give for the case when n = 4 uses the method of infinite descent devised 
by Fermat. This method is an offshoot of the well-ordering property, and shows that 
a diophantine equation has no solutions by showing that for every solution there is a 
“smaller” solution, contradicting the well-ordering property. 


Using the method of infinite descent, we will show that the diophantine equation 
x4 + y+ = 2” has no solutions in nonzero integers x, y, and z. This is swonger than 


showing Fermat’s last theorem is true for n = 4, because any x* + y* = z* = (z”)? gives 


a solution of x4 + y* =2?. 


Theorem 13.3. The diophantine equation 


ee ee, 


has no solutions in nonzero integers x, y, and z. 


Proof. Assume that this equation has a solution in nonzero integers x, y, and z. Because 
we may replace any number of the variables with their negatives without changing the 
validity of the equation, we may assume that x, y, and z are positive integers. 


We may also suppose that (x, y) = 1. To see this, let (x, y) = d. Then x = dx, and 


y = dy,, with (x1, y,) = 1, where x, and y, are positive integers. Because x* + y* = z?, 


we have 


(dx,)* + (dy,)4 =z’, 


so that 
d*(x} + yp = 2”. 
Hence, d* | z? and, by Exercise 43 of Section 3.5, we know that d* | z. Therefore, 
z = d7z,, where z, is a positive integer. Thus, 
d4 (xt + yp = (d’z))? = d°z7, 
so that 


ee eee 
Xy + yy =2Z}- 
This gives a solution of x* + y* = z” in positive integers x = x), y = y,, and z = z, with 
(xj, yy) = 1. 


So suppose that x = x9, y = yo, and z = zg is a solution of x* + y* =z”, where 
Xo, Yo, and Zp are positive integers with (xg, yo) = 1. We will show that there is another 
solution in positive integers x = x, y = yy, and z = Z, with (x1, y,) = 1, such that z, < Zo. 
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Because x + YG = Za we have 
(x) + (99)? = 25; 
so that ce eo: Zo is a Pythagorean triple. Furthermore, we have (x2, ya) = 1, for if p 
is a prime such that p | xe and p | yo. then p | xp and p | yo, contradicting the fact that 
(Xo, Yo) = 1. Hence, A, yi, Zo iS a primitive Pythagorean triple, and, by Theorem 13.1, 
we know that there are positive integers m and n with (m,n) = 1,m #n (mod 2), and 


x; =m —n’, 
yy = 2mn, 


where we have interchanged 5 and Yo if necessary, to make ye the even integer of this 
part. 


From the equation for xe: we see that 


x + n? =m’. 
Because (m, n) = 1, it follows that xo, n, m is a primitive Pythagorean triple, m is odd, 
and n is even. Again, using Theorem 13.1, we see that there are positive integers r and 
Ss with (7, s) = 1,r #5 (mod 2), and 


X= r= 57, 
n=2rs, 
m=r? +s. 
Because m is odd and (m, n) = 1, we know that (m, 2n) = 1. We note that because 


ya = (2n)m, Lemma 13.3 tells us that there are positive integers z; and w with m = Ze 


and 2n = w. Because w is even, w = 2u, where v is a positive integer, so that 


v=n /2=rs. 

Because (r, s) = 1, Lemma 13.3 tells us that there are positive integers x, and y, such 
that r = Xe and s = y?. Note that because (r, s) = 1, it easily follows that (x;, y,) = 1. 
Hence, 


Bc = De 9 2 
Ary Hr +s =mM=7, 
where x, yj, Z; are positive integers with (x,, y;) = 1. Moreover, we have z, < Zp, 
because 


2 <m?* +n? =z. 


a1 = zy =m 

To complete the proof, assume that x* + y* = z? has at least one integral solution. 

By the well-ordering property, we know that among the solutions in positive integers 
there is a solution with the smallest value zg of the variable z. However, we have shown 
that from this solution we can find another solution with a smaller value of the variable 
z, leading to a contradiction. This completes the proof by the method of infinite descent. 
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Conjectures About Some Diophantine Equations 


The resolution of a longstanding conjecture in mathematics often leads to new conjec- 
tures, and this certainly is the case for Fermat’s last theorem. For example, Andrew Beal, 
a banker and amateur mathematician, conjectured that a generalized version of Fermat’s 
last theorem is true, where the exponents on the three terms in the equation x” + y” = 2” 
are allowed to be different. 


Beal’s Conjecture The equation x? + y® = z° has no solutions in positive integers 
x, y, Z, a, b, c, where a > 3, b > 3, and c > 3 and (x, y) = (y, 2) =(a%,z) =1. 


Beal’s conjecture has not been solved. To generate interest in his conjecture, Andrew 
Beal has offered a prize of $100,000 for a proof or a counterexample. 


The proof of Fermat’s last theorem in the 1990s settled what was the best-lnown 
conjecture related to diophantine equations. Surprisingly, in 2002, another well-lnown, 
longstanding conjecture about diophantine equations was also settled. In 1844, the 
Belgian mathematician Eugene Catalan conjectured that the only consecutive positive 
integers that are both powers (squares, cubes, or higher powers) of integers are 8 = 2° 
and 9 = 32. In other words, he made the following conjecture. 


The Catalan Conjecture The diophantine equation 
x™—y"=1 


has no solutions in positive integers x, y, m, and n, where m > 2 and n > 2, other than 
x =3, y=2, and m =2, andn =3. 


Certain cases of the Catalan conjecture have been settled since the fourteenth century 
when Levi ben Gerson proved that 8 and 9 were the only consecutive integers that 
are powers of 2 and 3. That is, he showed that if 3" — 2" # +1, where m and n are 
positive integers with m > 2 and n > 2, then m = 3 and n = 2. In the eighteenth century, 
Euler used the method of infinite descent to prove that the only consecutive cube and 
square are 8 and 9. That is, he proved that the only solution of the diophantine equation 
x3 — y*=+1is x =2 and y = 3. Additional progress was made during the nineteenth 
and early twentieth centuries, and in 1976, R. Tijdeman showed that the Catalan equation 
had at most a finite number of solutions. It was not until 2002 that the Catalan conjecture 
was settled, when Preda Mihailescu finally proved that this conjecture is correct. 


A new conjecture has been formulated that attempts to unify Fermat’s last theorem 
and Mihailescu’s theorem proving the Catalan conjecture. 


Fermat-Catalan Conjecture The equation x? + y® = 7° has at most finitely many 
solutions if (x, y) = (y, z) = (x, z) = land 3 + } +4 21. 


The Fermat-Catalan conjecture remains open. At the present time, ten solutions of 
this diophantine equation are known that satisfy the hypotheses. They are: 
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1+ = 32, 

95 a PZ = cae 

P13 =2?, 
EAA aT 


BP 1129? 
17’ + 76271? = 210639287, 
14143 + 22134592 = 65’, 
9262? + 15312283* = 113’, 
43° + 962223 = 300429072, 
338 + 15490342 — 15613? 


The abc Conjecture 


In 1985, Joseph Oesterlé and David Masser formulated a conjecture that intrigues many 
mathematicians. If wue, their conjecture could be used to resolve questions about many 
well-known diophantine equations. Before stating the conjecture, we need to introduce 
some notation. 


Definition. If n is a positive integer, then rad(n) is the product of the distinct prime 
factors of n. Note that rad(n) is also called the squarefree part of n because it can be 


LEVI BEN GERSON (1288-1344), born at Bagnols in southern France, was a man 
of many talents. He was a Jewish philosopher and biblical scholar, a mathematician, 
an astronomer, and a physician. Most likely he made his living by practicing medicine, 
especially because he never held a rabbinical post. Little is known about the particulars of 
his life other than that he lived in Orange and later in Avignon. In 1321, Levi wrote The 
Book of Numbers dealing with arithmetical operations, including the extraction of roots. 
Later in life, he wrote On Sines, Chords and Arcs, a book dealing with trigonometry, which 
gives sine tables that were long noted for their accuracy. In 1343, the bishop of Meaux asked 
Levi to write a commentary on the first five books of Euclid, which he called The Harmony 
of Numbers. Levi also invented an instrument to measure the angular distance between 
celestial objects called Jacob’s staff. He observed both lunar and solar eclipses and proposed 
new astronomical models based on the data he collected. His philosophical writings are 
extensive. They are considered to be major contributions to medieval philosophy. 

Levi maintained contacts with prominent Christians, and was noted for the universality 
of his thinking. Pope Clement VI even translated some of Levi’s astronomical writings into 
Latin, and the astronomer Kepler made use of this translation. Levi was fortunate to live 
in Provence, where popes provided some protection to Jews, rather than another part of 
France. However, at times persecution made it difficult for Levi to work, even preventing 
him from obtaining important volumes of Jewish scholarship. 
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obtained by eliminating all the factors that produce squares from the prime factorization 
of n. 


Example 13.4. If n= 2*.3?-53-7*- 11, thenrad(n) =2-3-5-7-11=2310. < 
We can now state the conjecture. 


C abc Conjecture For every real number € > 0 there exists a constant K (e) such that if 
a, b, and c are integers such that a + b =c and (a, b) = 1, then 


max(lal, |b], Icl) < K (€)(rad(abc))!**, 


Many deep results have been shown to be consequences of this conjecture. It would take 
us too far afield to develop the background and motivation for the abc conjecture. To 
learn about the origins of the conjecture and its consequences, see the expository articles 
[GrTu02] and [Ma00]. In the following example, we will show how the abc conjecture 
can be used to prove a result related to Fermat’s last theorem. 


Example 13.5. Wecan apply the abc conjecture to obtain a partial solution of Fermat’s 
last theorem. We follow an argument of Granville and Tucker [GrTu02]. Suppose that 


x" + y"=2", 
where x, y, and z are pairwise relatively prime integers. Leta = x”, b= y”, andc =z”. 
We can estimate rad(abc) = rad(x” y"z") by noting that 


rad(x”y"z") =rad(xyz) < xyz < z. 
The equality rad(x” y"z") = rad(xyz) holds because the primes dividing x" y"z" are the 
same as the primes dividing xyz. The first inequality follows because rad(m) < m for 
every positive integer m, and the last inequality holds because x and y are positive, so 
that x < zand y <z. 


EUGENE CATALAN (1814-1894) was born in Bruges, Belgium. He gradu- 
ated from the Ecole Polytechnique in 1835. He then was appointed to a teaching 
post at Chélons sur Mame. Catalan obtained a lectureship in descriptive geome- 
try at the Ecole Polytechnique in 1838, with the help of his schoolmate Joseph 
Liouville, who was impressed by Catalan’s mathematical talents. Unfortunately, 
Catalan’s career was aversely affected by the reaction of the authorities to bis 
political activity in favor of the French Republic. Catalan published extensively 
on topics in number theary and other areas of mathematics. He is perhaps best 
known for his definition of the numbers now known as Catalan numbers, which appear in so many 
contexts in enumeration problems. He used these numbers to solve the problem of determining the 
number of regions produced by the dissection of a polygon into triangles by nonintersecting diagonals. 
It tums out that Catalan was not the first to solve this problem, because it was solved in the eighteenth 
century by Segner, who presented a less elegant solution than Catalan. 
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Now applying the abc conjecture and noting that max(|a|, |b|, |c|) = z”, for every 
€ > 0, there exists a constant K (€) > 0 such that 


zn < K (e)(z*)!*€, 
If we can take € = 1/6 and n > 4, it is easy to see that n — 3(1 + €) > n/8. This implies 
that 
z" < K(1/6)°, 


where K (1/6) is the value of the constant K (€) for € = 1/6. It follows that z < K (1/6)*/". 
Consequently, in a solution of x” + y” = z” with n > 4, the numbers x, y, and z are all 
less than a fixed bound, which implies that there are only finitely many such solutions. 

< 


EXERCISES 


. Show that if x, y,z is a Pythagorean triple and nm is an integer with n >2, then 


xt y £2", 
Show that Fermat’s last theorem is a consequence of Theorem 13.3, and of the assertion that 
xP + y? = 2? has no solutions in nonzero integers when p is an odd prime. 


. Using Fermat’s little theorem, show that if p is prime, and 


a) if x?—! + yP-! = 2?!) then p | xyz. 
b) ifx? + y? =2?, then p|(x + y — 2). 


Show that the diophantine equation x* — y* = z” has no solutions in nonzero integers using 
the method of infinite descent. 


. Using Exercise 4, show that the area of a right triangle with integer sides is never a perfect 


square. 

Show that the diophantine equation x* + 4y* = z” has no solutions in nonzero integers. 
Show that the diophantine equation x* + 8y* = 2” has no solutions in nonzero integers. 
Show that the diophantine equation x* + 3y* = z? has infinitely many solutions. 


Find all solutions in the rational numbers of the diophantine equation y? = x* + 1. 


C) A diophantine equation of the form y” = x3 + k, where k is an integer, is called a Bachet equation 
after Claude Bachet, a French mathematician of the early seventeenth century. 


10. Show that the Bachet equation y? = x? + 7 has no solutions. (Hint: Consider the congruence 


resulting by first adding 1 to both sides of the equation and reducing modulo 4.) 


* 11. Show that the Bachet equation y” = x? + 23 has no solutions in integers x and y. (Hint: Look 


at the congruence obtained by reducing this equation modulo 4.) 


* 12. Show that the Bachet equation y? = x? + 45 has no solutions in integers x and y. (Hint: Look 


at the congruence obtained by reducing this equation modulo 8.) 


13. Show that in a Pythagorean triple there is at most one square. 


14. Show that the diophantine equation x? + y? = z? has infinitely many integer solutions, 


by showing that for each positive integer k, the integers x = 3k? — 1, y = k(k? — 3), and 
z= k* + 1 form a solution. 
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15. This exercise asks for a proof of a theorem proved by Sophie Germain in 1805. Suppose 


that n and p are odd primes, such that p | xyz whenever x, y, and z are integers such that 
x" + y" +z” =0 (mod p). Further suppose that there are no solutions of the congruence 
w” =n (mod p).Show thatif x, y, and z are integers such that x” + y” + z” =0, then a | xyz. 


16. Show that the diophantine equation w? + x3 + y? = 2 has infinitely many nontrivial solu- 


tions. (Hint: Tale w = 9zk*, x =z(1— 9k), and y = 3zk(1 — 3k), where z and k are nonzero 
integers.) 


17. Can you find four consecutive positive integers such that the sum of the cubes of the first 


three is the cube of the fourth integer? 


18. Prove that the diophantine equation w* + x* = y* + z* has infinitely many nontrivial solu- 


tions. (Hint: Follow Euler by talaing w = m7 + mon? — 2m3n* + 3m2n5 + mn®, x = m°n — 
3m5n2 — 2m4 + m2n +7, y =m + min? — 2m3n* — 3m2n + mn®, and z= mon + 
3m5n? — 2m4n3 + m2n5 + n7, where m and n are positive integers.) 

. Show that the only solution of the diophantine equation 3” — 2” = —1 in positive integers m 
and n is m =2 andn = 1. 


. Show that the only solution of the diophantine equation 3* — 2” = 1 in positive integers m 


and” ism = 3 andn =2. 


21. The diophantine equation x? + y? + z? = 3xyz is called Markov’s equation. 


a) Show that if x =a, y = b, and z = c isa solution of Markov’s equation, then x = a, y = 5, 


and z = 3ab — c is also a solution of Markov’s equation. 


CLAUDE GASPAR BACHET DE MEZIRIAC (1581-1638) was born in 
Bourg-en-Bresse, France. his father was an aristocrat and was the highest ju- 
dicial officer in the province. His early education took place at a house of the 
Jesuit order of the Duchy of Savoy. Later, he studied under the Jesuits in Lyon, 
Padua, and Milan. In 1601, he entered the Jesuit Order in Milan where it is 
presumed that he taught. Unfortunately, he became ill in 1602 and left the Je- 
suit order. He resolved to live a life of leisure on his estate at Bourg-en-Bresse, 
which produced a considerable annual income for him. Bachet married in 1612 
and had seven children. Bachet spent almost all of his life living on his estate, except for 1619-1620, 
when he lived in Paris. While in Paris, it was suggested that he become tutor to Louis XIII. This led 
to a hasty departure from the royal court. 

Bachet’s work in number theory concentrated on diophantine equations. In 1612, be presented 
a complete discussion on the solution of linear diophantine equations. In 1621, Bachet conjectured 
that every positive integer can be written as the sum of four squares; he checked his conjecture for all 
integers up to 325. Also, in 1621, Bachet discussed the diophantine equation that now bears his name. 
He is best known, however, for his Latin translation from the original Greek of Diophantus’ book 
Arithmetica. It was in his copy of this book that Fermat wrote his marginal note about what we now 
call Fermat’s last theorem. Bachet also wrote books on mathematical puzzles. His writings were the 
basis of most later books on mathematical recreations. Bachet discovered a method of constructing 
magic squares. He was elected to the French Academy in 1635. 

Bachet also composed literary works, including poems in French, Italian, and Latin, translated 
religious works and some of Ovid’s writings, and published an anthology of French poems entitled 
Délices. 
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* b) Show that every solution in positive integers of Markov’s equation is generated starting 
with the solution x = 1, y = 1, and z = 1 and successively using part (a). 


** 22. Apply the abc conjecture to the Catalan equation x” — y” = 1, where m and n are integers 


with m > 2 and n > 2, to obtain a partial solution of the Catalan conjecture. 


** 23. Apply the abc conjecture to show that there are no solutions to Beal’s conjecture when the 


13.3 


exponents are sufficiently large. 


Computations and Explorations 


1. Euler conjectured that no sum of fewer than n nth powers of nonzero integers is equal to the 
nth power of an integer. Show that this conjecture is false (as was shown in 1966 by Lander 
and Parkin) by finding four fifth powers of integers whose sum is also the fifth power of an 
integer. Can you find other counterexamples to Euler’s claim? 


2. Given a positive integer n, find as many pairs of equal sums of nth powers as you can. 


Programming Projects 

1. Given a positive integer n, search for solutions of the diophantine equation x” + y” = 2”. 
2. Generate solutions of the diophantine equation x” + y” = z3 (see Exercise 16). 

3. Given a positive integer k, search for solutions in integers of Bachet’s equation y* = x3 + k. 


4. Generate the solutions of Markov’s equation, defined in Exercise 21. 


Sums of Squares 


Mathematicians throughout history have been interested in problems regarding the rep- 
resentation of integers as sums of squares. Diophantus, Fermat, Euler, and Lagrange are 
among the mathematicians who made important contributions to the solution of such 
problems. In this section, we discuss two questions of this kind: Which integers are the 
sum of two squares? What is the least integer n such that every positive integer is the 
sum of n squares? 


We begin by considering the first question. Not every positive integer is the sum of 
two squares. In fact, n is not the sum of two squares if it is of the form 4k + 3. To see this, 
note that because a? = 0 or 1 (mod 4) for every integer a, x2 + y? =0, 1, or2 (mod 4). 


To conjecture which integers are the sum of two squares, we first examine some 
small positive integers. 


Example 13.6. Among the first 20 positive integers, note that 
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1=07 + 1, 11 is not the sum of two squares, 
2=1+4 2, 12 is not the sum of two squares, 
3 is not the sum of two squares, 13 = 3* + 2?, 

4=27+0%, 14 is not the sum of two squares, 
5=1+42?, 15 is not the sum of two squares, 


6 is not the sum of two squares, 16 = 4” + 07, 
7 is not the sum of two squares, 17 = 47 + 1’, 


8= 27? + 2?, 18 = 3° + 3, 
9 = 374 02, 19 is not the sum of two squares, 
10=3?4+ LP, 20 = 27 + 47. < 


It is not immediately obvious from the evidence in Example 13.6 which integers, 
in general, are the sum of two squares. (Can you see anything in common among those 
positive integers not representable as the sum of two squares?) 


We now begin a discussion that will show that the prime factorization of an integer 
determines whether this integer is the sum of two squares. There are two reasons for this. 
The first is that the product of two integers that are sums of two squares is again the sum 
of two squares; the second is that a prime is representable as the sum of two squares if 
and only if it is not of the form 4k + 3. We will prove both of these results. Then we will 
state and prove the theorem that specifies which integers are the sum of two squares. 


The proof that the product of sums of two squares is again the sum of two squares 
relies on an important algebraic identity that we will use several times in this section. 
Theorem 13.4. If m and n are both sums of two squares, then mn is also the sum of 
two squares. 

Proof. Let m =a? + b* andn =c? + d?. Then 
(13.2) mn = (a2 + b?)(c? + d*) = (ac + bd)? + (ad — bc)?. 


The reader can easily verify this identity by expanding all the terms. 2 


Example 13.7. Because 5 = 27 + 1? and 13 = 3? + 2?, it follows from (13.2) that 
65=5-13= (27 + 1°)(3? + 2”) 
= (2-34+1-2)74+(2-2-1-3? =8 + LP. < 


One crucial result is that every prime of the form 4k + 1 is the sum of two squares. 
To prove this result, we will need the following lemma. 


Lemma 13.4. If p is a prime of the form 4m + 1, where m is an integer, then there 
exist integers x and y such that x? + y* = kp for some positive integer k with k < p. 


Proof. By Theorem 11.5, we know that —1 is a quadratic residue of p. Hence, there is 
an integer a, a < p, such that a” = —1 (mod p). It follows that a” + 1= kp for some 
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positive integer k. Hence, x2 + y2 = kp, where x =a and y = 1. From the inequality 
kp =x? + y?<(p—1)?+1< p”, we see that k < p. = 


We can now prove the following theorem, which tells us that all primes not of the 
form 4k + 3 are the sum of two squares. 
Theorem 13.5. If p is a prime not of the form 4k + 3, then there are integers x and y 
such that x2 + y? = p. 


Proof, Note that 2 is the sum of two squares, because 1? + 17 = 2. Now, suppose 
that p is a prime of the form 4k + 1. Let m be the smallest positive integer such that 
x? + y* = mp has a solution in integers x and y. By Lemma 13.4, there is such an 
integer less than p; by the well-ordering property, a least such integer exists. We will 
show that m = 1. 


Assume that m > 1. Let a and b be defined by 
a=x(modm), b=y(modm) 
and 
—m/2<a<m/2, -—m/2<b<m/2. 


It follows that a2 + b* = x” + y2 = mp = 0 (mod m). Hence, there is an integer k such 
that 


a? +b? =km. 
We have 
(a* + b*)(x? + y*) = (km)(mp) = km’ p. 
By equation (13.2), we have 
(a? + b*)(x? + y?) = (ax + by)” + (ay — bx). 

Furthermore, because a = x (mod m) and b = y (mod m), we have 

ax + by=x*+ y” = 0 (mod m) 

ay — bx = xy — yx =0(modm). 
Hence, (ax + by)/m and (ay — bx)/m are integers, so that 


(ate) rn Gay Lp e. 
m 


m 


is the sum of two squares. If we show that 0 < k < m, this will contradict the choice of m 
as the minimum positive integer such that x? + y? = mp has a solution in integers. We 
know that a2 + b? = km, —m/2 <a <m/2, and —m/2 <b < m/2. Hence, a*< m2 /4 
and b2 < m?/4. We have 


0 < km =a* + b* < (m?/4) = m?/2. 


Consequently, 0 < k < m/2. It follows that k < m. All that remains is to show thatk 4 0. 
If k = 0, we have a2 + b* = 0. This implies that a = b = 0, so that x = y = 0 (mod m), 
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which shows that m | x and m | y. Because x2 + y* = mp, this implies that m? | mp, 
which implies that m | p. Because m is less than p, this implies that m = 1, which is 
what we wanted to prove. 2 


We can now put all the pieces together and prove the fundamental result that 


classifies the positive integers that are representable as the sum of two squares. 


Theorem 13.6. The positive integer 1 is the sum of two squares if and only if each 
prime factor of n of the form 4k + 3 occurs to an even power in the prime factorization 
of n. 


Proof. Suppose that in the prime factorization of n there are no primes of the form 
4k + 3 that appear to an odd power. We write n = tu, where u is the product of primes. 
No primes of the form 4k + 3 appear in u. By Theorem 13.5, each prime in u can be 
written as the sum of two squares. Applying Theorem 13.4 one time fewer than the 
number of different primes in u shows that u is also the sum of two squares, say, 


u =x? + we 
It then follows that 7 is also the sum of two squares, namely, 
n= (tx) + (ty). 


Now, suppose that there is a prime p, p = 3 (mod 4), that occurs in the prime factorization 
of n to an odd power, say, the (27, + 1)th power. Furthermore, suppose that n is the sum 
of two squares, that is, 


n=x? + Ve 
Let (x, y) =d,a=x/d, b= y/d, andm =n/a”. It follows that (a, b) = 1 and 
a+b?=m. 


Suppose that p* is the largest power of p that divides d. Then m is divisible by p?/—24+1, 
and 27 — 2k + 1 is at least 1 because it is nonnegative; hence, p | m. We know that p 
does not divide a, for if p | a, then p | b because b? = m — a”, but (a, b) = 1. 


Thus, there is an integer z such that az = b (mod p). It follows that 
a+b =a? + (az)? =a*(1 + 2”) (mod p). 
Because a” + b? = m and p | m, we see that 
a?(1+z”) =0 (mod p). 


Because (a, p) =1, it follows that 1+ z*=0 (mod p). This implies that v= 
—1(mod p), which is impossible because —1 is not a quadratic residue of p, because 
p =3 (mod 4). This contradiction shows that n could not have been the sum of two 
squares. rT] 


Because there are positive integers not representable as the sum of two squares, we 
can ask whether every positive integer is the sum of three squares. The answer is no, as it 
is impossible to write 7 as the sum of three squares (as the reader should show). Because 
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three squares do not suffice, we ask whether four squares do. The answer to this is yes, as 
we will show. Fermat wrote that he had a proof of this fact, although he never published 
it (and most historians of mathematics believe that he actually had such a proof). Euler 
was unable to find a proof, although he made substantial progress toward a solution. It 
was in 1770 that Lagrange presented the first published solution. 


The proof that every positive integer is the sum of four squares depends on the 
following theorem, which shows that the product of two integers both representable as 
the sum of four squares can also be so represented. Just as with the analogous result for 
two squares, there is an important algebraic identity used in the proof. 


Theorem 13.7. If m and n are positive integers that are each the sum of four squares, 
then mn is also the sum of four squares. 


Proof. Letm =a? +b?+c* +d? andn =e? + f* + 27+ h?. The fact that mn is also 
the sum of four squares follows from the following algebraic identity: 


(13.3) mn = (a2 +b* +c? + d)(e* + f2+ 97 +h?) 
= (ae + bf +cg + dh) + (af — be + ch — dg)? 
+ (ag — bh —ce+df)+ (ah + bg —cf — de)’. 
The reader can easily verify this identity by multiplying all the terms. rT] 
We illustrate the use of Theorem 13.7 with an example. 
Example 13.8. Because 7 = 27+ 12+ 124 1? and 10= 3% + 12+0%+ 02, from 
(13.3) it follows that 
70=7-10= (27+ 174+ 174+ 12(374+ 2 + 0? + 0’) 
=(2-34+1-14+1-041-0)?+(2-1-1-3+1-0-1-0)? 
+ (2-0-1-0—1-341-1%+(2-041-0-1-1-1-3)? 
SPO 4. < 


We will now begin our work to show that every prime is the sum of four squares. We 
begin with a lemma. 


Lemma 13.5. If p is an odd prime, then there exists an integer k, k < p, such that 
kpaxrt+y+22tw? 

has a solution in integers x, y, z, and w. 

Proof. We will first show that there are integers x and y such that 
x? yr+ 1 = 0 (mod p) 


with 0 < x < p/2 and0 < y < p/2. 
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Let 


and 


2 
r={-1-0,-1-%,...,-1- (24) \. 


No two elements of 5 are congruent modulo p (because x? = y” (mod p) implies that 
x =+y (mod p)). Likewise, no two elements of T are congruent modulo p. It is easy 
to see that the set § U T contains p + 1 distinct integers. By the pigeonhole principle, 
there are two integers in this union that are congruent modulo p. It follows that there 
are integers x and y such that x2 = —1-— y* (mod p) with 0 < x < (p—1)/2 and 
0 < y < (p— 1)/2. We have 


x? + y* + 1=0 (mod p); 


it follows that x? + y” + 1+ 0? = kp for some integer k. Because x” + y2 + 1<2((p— 
1)/2)? + 1 < p”, it follows that k < p. rT] 


We can now prove that every prime is the sum of four squares. 


Theorem 13.8. Let p be a prime. Then the equation x2 + y* +z ++ w” = p has a 
solution, where x, y, Zz, and w are integers. 


Proof. The result is true when p = 2, because 2 = 12 + 12+ 0? + 02. Now, assume that 
p is an odd prime. Let m be the smallest integer such that x? + y” + z2 + w? = mp has 
a solution, where x, y, z, and w are integers. (By Lemma 13.5, such integers exist, and 
by the well-ordering property, there is a minimal such integer.) The theorem will follow 
if we can show that m = 1. To do this, we assume that m > 1 and find a smaller such 
integer. 


If m is even, then either all of x, y, z, and w are odd, all are even, or two are odd 
and two are even. In all these cases, we can rearrange these integers (if necessary) so that 
x = y (mod 2) and z = w (mod 2). It then follows that (x — y)/2, (x + y)/2, (z — w)/2, 
and (x + w)/2 are integers, and 


2 2 2 2 
x-y x+y Z—Ww Ztwy\ _ 
(252) + (22) +(B*) + (*) oe 


This contradicts the minimality of m. 


Now suppose that m is odd and m > 1. Let a, b, c, and d be integers such that 
a=x(modm), b=y(modm), c=z(modm), d=w (modm), 
and 


—m/2<a<m/2, -—m/2<b<m/2, -—m/2<c<m/2, —m/2<d<m/2. 
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We have 
C4424 Pax + y+ 2 + wu’ (mod m); 
hence, 
a+b +c? +d*=km 
for some integer k, and 
0 <a’ + b? + 2 + d* < 4(m /2)* =m’. 


Consequently, 0 <k <m.Ifk =0, wehavea =b=c=d=0,sothatx=y=z=w= 
0 (mod m). From this, it follows that m2 | mp, which is impossible because 1 < m < p. 
It follows that k > 0. 


We have 
(2 + y2 + 224+ wa? +b +c? +d?) = mp: km =m’ kp. 
But by the identity in the proof of Theorem 13.7, we have 
(ax + by +:cz + dw)? + (bx — ay + dz —cw)* 
+ (cx —dy —az+ bw)* + (dx +cy —bz—- aw)? = m’kp. 
Each of the four terms being squared is divisible by m, because 
ax+by+cz+dw = x74 y*+ 274 w* =0(modm), 
bx —ay+dz—cw=yx —xy+wz—zw=0(modm), 
cx — dy —az+ bw =7zx — wy —xz+ yw=0(modm), 
dx +cy —bz-—aw=wx+zy — yz —xw=0(modm). 
Let X, Y, Z, and W be the integers obtained by dividing these quantities by m, that is, 
X =(ax+by+cz+dw)/m, 
Y = (bx —ay + dz —cw)/m, 
Z = (cx — dy —az+bw)/m, 
W = (dx + cy — bz —aw)/m. 
It then follows that 
X24 ¥2 4 22 + W* = m*kp/m? = kp. 
But this contradicts the choice of m; hence, m must be 1. = 


We now can state and prove the fundamental theorem about representations of 
integers as sums of four squares. 


Theorem 13.9. Every positive integer is the sum of the squares of four integers. 


Proof. Suppose that n is a positive integer. Then, by the fundamental theorem of 
arithmetic, n is the product of primes. By Theorem 13.8, each of these prime factors 
can be written as the sum of four squares. Applying Theorem 13.7 a sufficient number 
of times, it follows that n is also the sum of four squares. rT] 
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We have shown that every positive integer can be written as the sum of four squares. 
As mentioned, this theorem was originally proved by Lagrange in 1770. Around the same 
time, the English mathematician Edward Waring generalized this problem. He stated, 
but did not prove, that every positive integer is the sum of nine cubes of nonnegative 
integers, the sum of 19 fourth powers of nonnegative integers, and so on. We can phrase 
this conjecture in the following way. 


Waring’s Problem. If k is a positive integer, is there an integer g(k) such that every 
positive integer can be written as the sum of g(k) kth powers of nonnegative integers, 
and no smaller number of kth powers will suffice? 


Lagrange’s theorem shows that we can take g(2) = 4 (because there are integers 
that are not the sum of three squares). In the nineteenth century, mathematicians showed 
that such an integer g(k) exists for 3 < k < 8 and k = 10. But it was not until 1906 that 
David Hilbert showed that for every positive integer k, there is a constant g(k) such that 


EDWARD WARING (1736-1798) was bor in Old Heath in Shropshire, En- 
gland, where his father was a farmer. As a youth, Edward attended Shrewsbury 
School. He entered Magdalene College, Cambridge, in 1753, winning a schol- 
arship qualifying him for a reduced fee if he also worked as a servant. His 
mathematical talents quickly impressed his teachers and he was elected a fellow 
of the college in 1754, graduating in 1757. Noted by many as a prodigy, Waring 
was nominated for the Lucasian Chair of Mathematics at Cambridge in 1759; 
after some controversy, he was confirmed as the Lucasian professor in 1760 at 


the age of 23. 

Waring’s most important work was Meditationes Algebraicae, which covered topics in the 
theory of equations, number theory, and geometry. In this book, he malses one of the first important 
contributions to the part of abstract algebra now known as Galois theory. It was also in this book that 
he stated without proof that every integer is equal to the sum of not more than nine cubes, that every 
integer is the sum of not more than 19 fourth powers, and so on—the result we now call Waring’s 
theorem. To honor his contributions in the Meditationes Algebraicae, Waring was elected a Fellow 
of the Royal Society in 1763. However, few scholars read the book, because of its difficult subject 
matter and because Waring used a notation that made his work hard to understand. 

Surprisingly, Waring also studied medicine while holding his chair in mathematics. He graduated 
with an M.D. in 1767 and for a brief time practiced medicine at several hospitals, before giving up 
medicine in 1770. His lack of success in medicine has been attributed to his shy manner and poor 
eyesight. Waring was able to pursue medicine while holding his chair in mathematics because he 
did not present lectures on mathematics. In fact, Waring was noted as a poor communicator with 
handwriting almost impossible to read. 

Waring was married to Mary Oswell in 1776. He and his wife lived in the town of Shrewsbury 
for a while, but his wife did not like the town. The couple later moved to Waring’s country estate. 

Waring was considered by his contemporaries to possess an odd combination of vanity and mod- 
esty, but with vanity predominating. He is recognized as one of the greatest English mathematicians 
of his time, although his poor communication skills limited his reputation while he was alive. More- 
over, according to one account, near the end of his life he fell into a deep religious melancholy that 
approached insanity and prevented him from accepting several] awards. 
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every positive integer may be expressed as the sum of g(k) kth powers of nonnegative 
integers. Hilbert’s proof is extremely complicated and is not constructive, so that it gives 
no formula for g(k). It is now known that g(3) = 9, g(4) = 19, g(5) = 37, and 


g(k) = [(3/2)*] + 2* — 2 


for 6 < k < 471,600,000. Proofs of these formulas rely on nonelementary results from 
analytical number theory. There are still many unanswered questions about the values of 
g(k). 


Although every positive integer can be written as the sum of nine cubes, it is Anown 
that the only positive integers not representable as the sum of eight cubes are 23 and 239. 
It is also known that every sufficiently large integer can be represented as the sum of at 
most seven cubes. Observations of this sort lead to the definition of the function G(k), 
which equals the least positive integer such that all sufficiently large positive integers 
can be represented as the sum of at most G(k) kth powers. The preceding remarks imply 
that G(3) < 7. It is also not hard to see that G(3) > 4, because no positive integer n 
with n = +4 (mod 9) can be expressed as the sum of three cubes (see Exercise 22). 
This implies that 4 < G(3) <7. It may surprise you to learn that it is still not known 
whether G(3) = 4, 5, 6, or 7. The value of G(k) is extremely difficult to determine; 
the only lnown values of G(k) are G(2) = 4 and G(4) = 16. The best currently lnown 
inequalities for G(k), with k = 5, 6, 7, and 8, are 6 < G(5) < 17, 9 < G(6) < 24,8< 
G(7) < 32, and 32 < G(8) < 42. 


The interested reader can learn about recent results regarding Waring’s problem 
by consulting the numerous articles on this problem described in [Le74]. The paper of 
Wunderlich and Kubina [WuKu90] established the upper limit of the range for which it 
has been verified that g(k) is given by this formula. 


EXERCISES 


. Given that 13 = 37 + 2?, 29 = 5* + 22, and 50 = 7 + 1?, write each of the following integers 


as the sum of two squares. 
a) 377 = 13-29 b) 650=13-50 c)1450=29-50_  d) 18,850 = 13-29-50 


. Determine whether each of the following integers can be written as the sum of two squares. 


a) 19 c) 29 e) 65 g) 99 i) 1000 
b) 25 d) 45 f) 80 h) 999 


. Represent each of the following integers as the sum of two squares. 


a) 34 b) 90 c) 101 d) 490 e) 21,658 — f) 324,608 


. Show that a positive integer is the difference of two squares if and only if it is not of the form 


4k + 2, where k is an integer. 


. Represent each of the following integers as the sum of three squares if possible. 


a) 3 b) 90 c) 11 d) 18 e) 23 f) 28 


. Show that the positive integer n is not the sum of three squares of integers if n is of the form 


8k + 7, where k is an integer. 
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. Show that the positive integer n is not the sum of three squares of integers if n is of the form 
4” (8k + 7), where m and k are nonnegative integers. 
8. Prove or disprove that the sum of two integers each representable as the sum of three squares 
of integers is also thus representable. 
9. Given that 7 = 2? + 174 174 14, 15=¥ +224 1224 2 and 34 = 42 4 42 4 124 12, write 
each of the following integers as the sum of four squares. 


a) 105 =7-15 b)510=15-34 c)238=7-34 d) 3570 = 7-15-34 


10. Write each of the following positive integers as the sum of four squares. 
a) 6 b) 12 c) 21 d) 89 e) 99 f) 555 


11. Show that every integer n,n > 170, is the sum of the squares of five positive integers. 
(Hint: Write m =n — 169 as the sum of the squares of four integers, and use the fact that 
169 = 13? = 127+ 5? = 12? + 4? + 3? = 10? + 87 + 2? + 12) 

12. Show that the only positive integers that are not expressible as the sum of five squares of 
positive integers are 1, 2, 3, 4, 6, 7, 9, 10, 12, 15, 18, 33. (Hint: Use Exercise 11, show that 
each of these integers cannot be expressed as stated, and then show all remaining positive 
integers less than 170 can be expressed as stated.) 


* 13. Show that there are arbitranly large integers that are not the sums of the squares of four 
positive integers. 


We outline a second proof for Theorem 13.5 in Exercises 14-15. 


* 14. Show that if p is prime and a is an integer not divisible by p, then there exist integers x 

and y such that ax = y (mod p) with 0 <| x |< ,/p and 0 <| y |< ,/p. This result is called 

eS Thue’s lemma after Norwegian mathematician Axel Thue. (Hint: Use the pigeonhole principle 
to show that there are two integers of the form au — v, withO <u <[,/pJand0 < v <[//p], 
that are congruent modulo p. Construct x and y from the two values of u and the two values 
of v, respectively.) 

15. Use Exercise 14 to prove Theorem 13.5. (Hint: Show that there is an integer a with a? = — 
(mod p). Then apply Thue’s lemma with this value of a.) 


16. Show that 23 is the sum of nine cubes of nonnegative integers but not the sum of eight cubes 
of nonnegative integers. 


Exercises 17—21 give an elementary proof that 2g(4) < 50. 


AXEL THUE (1863-1922) was bom in Ténsberg, Norway. He received his 
degree from the University of Oslo in 1889. He studied under the German 
mathematician Lie in Liepzig and in Berlin from 1891 until 1894, and he was 
professor of applied mechanics at the University of Oslo from 1903 until 1922. 
Thue was the first person to study the problem of finding an infinite sequence 
over a finite alphabet that does not contain any occurrences of adjacent identical 
blocks. His work on the approximations of algebraic numbers was seminal, 
and was later improved by Siegel and by Roth. Using his results, he managed 
to prove that certain diophantine equations such as y? — 2x? = 1 have a finite number of solutions. 
Edmund Landau characterized Thue’s theorem on approximation as “the most important discovery 
in elementary number theory that I know.” 
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Show that 


4 2 
> ((x; + =)" + (x; - x;)*) =6 (» *) , 
k=1 


1<i<j<4 
(Hint: Start with the identity (x; + x Ay + (x; -—x Ay — on! + 12x}x4 + 2x*.) 


Show from Exercise 17 that every integer of the form 6n”, where n is a positive integer, is 
the sum of 12 fourth powers. 


Use Exercise 18 and the fact that every positive integer is the sum of four squares to show 
that every positive integer of the form 6m, where m is a positive integer, can be written as the 
sum of 48 fourth powers. 


Show that the integers 0, 1, 2, 81, 16, 17 form a complete system of residues modulo 6, each 
of which is the sum of at most two fourth powers. Show from this that every integer n with 
n > 81can be written as 6m + k, where m is a positive integer and k comes from this complete 
system of residues. Conclude from this that every integer n withn < 81 is the sum of 50 fourth 
powers. 


Show that every positive integer n with n < 81 is the sum of at most 50 fourth powers. (Hint: 
For 51 <7 < 81, start by using three terms equal to 2%) Conclude from this exercise and 
Exercise 20 that ¢(4) < SO. 


Show that no positive integer n, n = +4 (mod 9), is the sum of three cubes. 


Show that G(4) > 15 by showing that if 7 is a positive integer with n = 15 (mod 16), then n 
cannot be represented as the sum of fewer than 15 fourth powers of integers. 


Use the fact that 31 is not the sum of 15 fourth powers and the method of infinite descent, 
to show that no positive integer of the form 31-16” is the sum of 15 fourth powers. (Hint: 
Suppose that a x} = 31- 16”. Show that each x; must be even, so that peme? /2)* = 
31-16"—1,) 


Computations and Explorations 


1. 


Find the number of ways that each integer less than 100 can be written as the sum of two 
squares. (Count the sum (+x) + (ty?) four times, once for each choice of signs.) 


. Using numerical evidence, make a conjecture concerning which positive integers can be 


expressed as the sum of three squares. (Be sure to consult Exercise 7.) 


. Explore which positive integers can be written as the sum of n cubes of nonnegative integers 


for n = 2, 3, 4, 5. 


Programming Projects 


1. 


2. 


Determine whether a positive integer 7 can be represented as the sum of two squares and so 
represent it if possible. 


Given a positive integer n, represent 7 as the sum of four squares. 
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13.4 Pell’s Equation 


In this section, we study diophantine equations of the form 
(13.4) x? —dy*=n, 


where d and 7 are fixed integers. When d < 0 andn < 0, there are no solutions of (13.4). 
When d < 0 and n > 0, there can be at most a finite number of solutions, because the 
equation x2 — dy” = n implies that | x |< /n and | y |< /n/|d |. Also, note that when 
d is asquare, say, d = D”, then 


x? — dy? =x? — D? * = (x + Dy)(x — Dy) =n. 


Hence, any solution of (13.4), when d is a square, corresponds to a simultaneous solution 
of the equations 


x+Dy=a, 
x —Dy=b, 


where a and b are integers such that n = ab. In this case, there are only a finite number 
of solutions, because there is at most one solution in integers of these two equations for 
each factorization n = ab. 


For the rest of this section, we are interested in the diophantine equation x? — dy” = 
n, where d and n are integers and d is a positive integer that is not a square. As the 
following theorem shows, the simple continued fraction of /d is very useful for the 
study of this equation. 


Theorem 13.10. Let d and n be integers such that d > 0, d is not a square, and 
| n |< Jd. If x2 — dy* =n, then x/y is a convergent of the simple continued fraction of 
Jd. 


Proof. First consider the case where n > 0. Because x” — dy” =n, we see that 
(13.5) (x + yVd)(x — yd) =n. 


From (13.5), we see that x — y./d > 0, so that x > y/d. Consequently, 


fd 6. 
y 


and, because 0 <n < Vd, we see that 
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_ x? dy? 
yx + yo/d) 
Pye 
y(2y/d) 
: Jd 
2y2/d 
aa 1 
P 


Because 0 < = — Jd < a Theorem 12.19 tells us that x/y must be a convergent of 


the simple continued fraction of «/d. 
When n < 0, we divide both sides of x2 — d y? = n by —d, to obtain 
y? — (1/d)x? = —n/d. 


By a similar argument to that given when n > 0, we see that y/x is a convergent of 
the simple continued fraction expansion of 1/./d. Therefore, from Exercise 7 of Section 
12.3, we know that x/y = 1/(y/x) must be aconvergent of the simple continued fraction 
of /d = 1/(1//d). = 


We have shown that solutions of the diophantine equation x2 —- dy? =n, where 
| n |< Jd, are given by the convergents of the simple continued fraction expansion of 
/d. We will restate Theorem 12.24 here, replacing n by d, because it will help us to use 
these convergents to find solutions of this diophantine equation. 


Theorem 12.24. Let d be a positive integer that is not a square. Define a, = (Py + 
Vd)/Qys oy = [oy], Preys =,Q, — Py, and Op4, = (d — P?,,)/Qy, for k =0, 1, 
2,..., where ay = Jd. Furthermore, let p; /qx, denote the kth convergent of the simple 
continued fraction expansion of /d. Then 


py — dq? = (-1)* 1 Oya. 


The special case of the diophantine equation x2 — dy” = n with n = 1is called Pell’s 

C) equation, after John Pell. Although Pell played an important role in the mathematical 
community of his day, he played only a minor part in solving the equation named in his 
honor. The problem of finding the solutions of this equation has a long history. Special 

cases of Pell’s equations are discussed in ancient works by Archimedes and Diophantus. 

‘se Moreover, the twelfth-century Indian mathematician Bhaskara described a method for 
finding the solutions of Pell’s equation. In more recent times, in a letter written in 1657, 
Fermat posed to the “mathematicians of Europe” the problem of showing that there are 
infinitely many integral solutions of the equation x? — dy” = 1, when d is a positive 
integer greater than 1 that is not a square. Soon afterward, the English mathematicians 
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Wallis and Brouncker developed a method to find these solutions, but did not provide 
a proof that their method works. Euler provided all the theory needed for a proof in a 
paper published in 1767, and Lagrange published such a proof in 1768. The methods 
of Wallis and Brouncker, Euler, and Lagrange all are related to the use of the continued 
fraction of \/d. We will show how this continued fraction is used to find the solutions of 
Pell’s equation. In particular, we will use Theorems 13.9 and 12.24 to find all solutions of 
Pell’s equation and the related equation x* — dy* = —1. More information about Pell’s 
equation can be found in [Ba03], a book entirely devoted to this equation. 


Theorem 13.11. Let d be a positive integer that is not a square. Let p;/q, denote the 
kth convergent of the simple continued fraction of /d,k =1,2,3..., and let n be the 
period length of this continued fraction. Then, when n is even, the positive solutions of 
the diophantine equation x2 — dy” = 1 are x = Pjn-) Y =Qjn-1. J =1,2,3..., and 
the diophantine equation x2 — dy* = —1 has no solutions. When n is odd, the positive 


JOHN PELL (1611-1683), the son of a clergyman, was born in Sussex, England, and was 
educated at Trinity College, Cambridge. He became a schoolmaster instead of following 
his father’s wishes that he enter the clergy. After developing a reputation for scholarship in 
both mathematics and languages, he took a position at the University of Amsterdam. He 
remained there until, at the request of the Prince of Orange, he joined the faculty of a new 
college at Breda. Among Pell’s writings in mathematics are a book, Idea of Mathematics, as 
well as many pamphlets and articles. He corresponded and discussed mathematics with the 
leading mathematicians of his day, including Leibniz and Newton, the inventors of calculus. 
Euler may have called x2 — dy? = 1 “Pell’s equation” because he was familiar with a book 
in which Pell augmented the work of other mathematicians on the solutions of the equation 
x? — 12y2=n. 

Pell was involved with diplomacy; he served in Switzerland as an agent of Oliver 
Cromwell, and he joined the English diplomatic service in 1654. He finally decided to join 
the clergy in 1661, when he took his holy orders and became chaplain to the Bishop of 
London. Unfortunately, at the time of his death, Pell was living in abject poverty. 


BHASKARA (1114-1185) was born in Biddur, in the Indian state of Mysore. Bhaskara 
was the head of the astronomical observatory at Ujjain, the center of mathematical studies 
in India for many centuries. He is the best known of all Indian mathematicians of his 
era. Bhaskara’s works on mathematics include Lilavati (The Beautiful) and Bijaganita 
(Seed Counting), which are both textbooks that cover parts of algebra, arithmetic, and 
geometry. Bhaskara studied systems of linear equations in more unknowns than equations, 
and knew many combinatorial formulas. He investigated the solutions of many different 
diophantine equations. In particular, he solved the equation x” — dy” = 1 in integers for d = 
8, 11, 32, 61, and 67, using what he called the “cycle method.” One illustration of his keen 
computational skill is his discovery of the solution of x?-61 y? = 1 with x = 1,766,319,049 
and y = 226,153,980. Bhaskara also wrote several important books on astronomy, including 
the Siddhantasiromani. 
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solutions of x? — dy* = larex = P2jn— Y = 92jn-1) J = 1, 2, 3, ..., and the solutions 
of x2 — dy =—larex = P(2j-1)n-1) Y = 92j-yn—v J = 1, 2, 3,-.-- 


Proof. Theorem 13.9 tells us that if xp, yo is a positive solution of x? — dy* = +1, then 
Xo = Pr» Yo = Mz, Where p;/q; is a convergent of the simple continued fraction of Jd. 
On the other hand, from Theorem 12.24, we know that 


Py — day = (1) Oe, 
where Q,,, is as defined as in the statement of Theorem 12.24. 
Because the period of the continued expansion of /d is n, we know that Q jin = 
Q, = 1 for j = 1, 2,3, ..., because Jd = Pople Hence, 
Pint ~ 4 jn1 = ("Oyj = (1. 


This equation shows that when n is even, pj,_1, 4 jn—1 iS a solution of x* — dy? = 1 for 
j =1,2,3..., and when n is odd, py ;,_1, 92jn—1 18 a solution of x* — dy? = land 


P2(j—1)n—1 92(j—1)n-1 48 a solution of x* — dy? = —1 for j = 1, 2, 3,.... 


To show that the diophantine equations x* — dy” = 1 and x” — dy” = —1 have no 
solutions other than those already found, we will show that Q;4,= 1 implies that n | k 
and that 0; # —1for j = 1, 2, 3,.... 


We first note that if QO, = 1, then 


O41 = Pry + vd. 


Because oy41 = [@,41;@,42, .--], the continued fraction expansion of a;,,, is purely 
periodic. Hence, Theorem 12.23 tells us that —1 < om, = Py, — Vd < 0. This implies 
that P,.; = [Vd], so that o, — a, anda | k. 


To see that Q;#-1 for j = 1, 2,3, ..., note that Q;=-1 implies that a; = 


oe Jd. Because a ; has a purely periodic simple continued fraction expansion, we 
know that 


-1<o',=-P;+Vd <0 
and 


From the first of these inequalities, we see that P fi —./d, and from the second, we see 
that P; < —1— ./d. Because these two inequalities for p ; are contradictory, we see that 


O;#-1 


Because we have found all solutions of x2 — dy” = 1 and x” — dy” = —1, where x 
and y are positive integers, we have completed the proof. 7 


We illustrate the use of Theorem 13.10 with the following examples. 
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Example 13.9. Because the simple continued fraction of 13 is [3; 1, 1, 1, 1, 6], the 
positive solutions of the diophantine equation io 13y? = lare Pjoj-1, 910j-1 J = 
1, 2, 3,..., where pj9;_1/@10;—1 is the (10j — 1)th convergent of the simple continued 


fraction expansion of »/ 13. The least positive solution is py = 649, qg = 180. The positive 
solutions of the diophantine equation x2 — 13y? = —lare pio os = 1,2,3,...; the 
least positive solution is pz = 18,q+4=5S. < 


Example 13.10. Because the continued fraction of 14 is [3; 1, 2, 1, 6], the positive 
solutions of x2 — 14y? = 1are Paj—1 Q4j-1, J = 1,2, 3,..., where p4;_1/q;_1 is the 
jth convergent of the simple continued fraction expansion of ./14. The least positive 
solution is p3 = 15, qg3 = 4. The diophantine equation x* — 14y? = —1has no solutions, 
because the period length of the simple continued fraction expansion of ./14 is even. 

< 


We conclude this section with the following theorem, which shows how to find all 
the positive solutions of Pell’s equation, x* — dy” = 1, from the least positive solution, 
without finding subsequent convergents of the continued fraction expansion of Jd. 


Theorem 13.12. Let x,, y, be the least positive solution of the diophantine equation 
x? — dy” = 1, where d is a positive integer that is not a square. Then all positive solutions 
Xk> Ye are given by 


xy + yd = (x1 + yd)! 
fork = 1, 2, 3,.... (Note that x, and y, are determined by the use of Lemma 13.4.) 


Proof. Wemust show that x;, y, isasolution fork = 1, 2, 3, ..., and thatevery solution 
is of this form. 


To show that x;, y;, is a solution, first note that by taking conjugates, it follows that 
x, — yew d = (x1 — yV/d)* because, from Lemma 12.4, the conjugate of a power is the 
power of the conjugate. Now, note that 


x? — dy? = (xy + yeV) (XE — Yea) 
= (x, + yd)" (x, — yd) 
= (xj — dy7)* 
= 1, 

Hence, x;, y, is a solution fork = 1, 2, 3,.... 


To show that every positive solution is equal to x;, y, for some positive integer k, 
assume that X, Y is a positive solution from x, y, fork = 1, 2, 3, .... Then there is an 
integer n such that 


(x; + yd)? <X+¥Vd < (x, 4+ yva)"*1, 
When we multiply this inequality by (x; + y;/d)~", we obtain 
1<(x%- yw d)"(X + YVd) < x, + y,v4d, 
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because x? — dy? = limplies that x, — yd = (x, + yd). 
Now let 


st+tVd = (x — yywWd)"(X + YVd) 


and note that 
s? — dt? =(s —tVd)(s + td) 
= (x, + ypvd)"(X — YVd) (x1 — yy d)"(X + YVa) 
= (x? — dy?)"(X? — d¥’) 
aie 


We see that s, t is a solution of x? — dy” = 1, and, furthermore, we know that 1 < 
s+t/d <x,+ y,/d. Moreover, because we know that s + ts/d > 1, we see that 
0 <(s +t/d)~! < 1. Hence, 


==[( +1Vd) + (6 -tVa)] >0 


oe 


and 
= gletwa-o-wa]>0 


This means that s, t¢ is a positive solution, so that s > x), and t > yj, by the choice of 
x1, y as the smallest positive solution. But this contradicts the inequality s + t./d < 
x, + y,Vd. Therefore, X, Y must be x;, y, for some choice of k. = 


The following example illustrates the use of Theorem 13.11. 
Example 13.11. From Example 13.9, we know that the least positive solution of the 


diophantine equation x” — 13y”? = 1 is x; = 649, y = 180. Hence, all positive solutions 
are given by x;, y, where 


xy + yV13 = (649 + 180713). 
For instance, we have 
Xo + yow 13 = 842,401 + 233,640V 13. 


Hence, x» = 842,401, y. = 233,640 is the least positive solution of x2 - 13y? = 1, other 
than x; = 649, y; = 180. < 


EXERCISES 


. Find all of the solutions, where x and y are integers, of each of the following equations. 


a) x? +3y?=4 b) x2 + Sy? =7 c) 2x2 + Ty? = 30 


. Find all of the solutions, where x and y are integers, of each of the following equations. 


a)x?—y?=8 b) x? + 4y? = 40 c) 4x? + 9y* = 100 


10. 


11. 


12. 
13. 
14. 
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. For which of the following values of n does the diophantine equation x2 — 3ly” =n have a 


solution? 
a) 1 b) -1 c)2 d) -—3 e)4 f) —45 


. Find the least positive solution in integers of each of the following diophantine equations. 


a) x2 — 29y?=—-1 b) x? — 29y? =1 


. Find the three smallest positive solutions of the diophantine equation x2 — 37y? = 1. 


2 


. Foreach of the following values of d, determine whether the diophantine equation x? — dy” = 


—1 has solutions in integers. 
a) 2 c) 6 e) 17 g) 41 
b) 3 d) 13 f) 31 h) 50 


. The least positive solution of the diophantine equation x? — 61y” = lis x; = 1,766,319,049, 


y, = 226,153,980. Find the least positive solution other than x,, y. 


. Show that if p;/q, is a convergent of the simple continued fraction expansion of /d, then 


| pe — dq? |< 14+ 24d. 


. Show that if d is a positive integer divisible by a prime of the form 4k + 3, then the diophantine 


equation x” — dy* = —1has no solutions. 


Let d and n be positive integers. 

a) Show that if 7, s is a solution of the diophantine equation x2 — dy”, = 1 and X, Y isa 
solution of the diophantine equation x2 — dy? =n, then Xr +dYs, Xs+/Yr is alsoa 
solution of x? — dy? =n. 

b) Show that the diophantine equation x2 — dy? = n either has no solutions or has infinitely 
many solutions. 


Find those right triangles having legs with lengths that are consecutive integers. (Hint: Use 
Theorem 13.1 to write the lengths of the legs as x = s* — t? and y = 2st, wheres and ¢ are 
positive integers such that (s, t) = 1, s > t, and s and t have opposite parity. Then x — y= +1 
implies that (s — t)? — 2t? = +1.) 


Show that the diophantine equation x+ — 2y* = 1 has no nontrivial solutions. 


2 


Show that the diophantine equation x — 2y? = —1 has no nontrivial solutions. 


Show that if ¢,, the nth triangular number, equals the mth square, so that n(n + 1)/2 = m?, 
then x = 2n + 1 and y = m are solutions of the diophantine equation x? — 8y” = 1. Find the 
first five solutions of this diophantine equation in terms of increasing values of the positive 
integer x and the corresponding pairs of triangular and square numbers. 


Computations and Explorations 


1. 


2. 
3. 


Find the least positive solution of the diophantine equation x? — 109y” = 1. (This problem 
was posed by Fermat to English mathematicians in the mid-1600s.) 


Find the least positive solution of the diophantine equation x — 991y? = 1. 


Find the least positive solution of the diophantine equation x” — 1,000,099y? = 1. 
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Programming Projects 


1. 


2. 


3. 


Find those integers n with | n |< ./d such that the diophantine equation x” — dy* = n has no 
solutions. 


Find the least positive solutions of the diophantine equations x” — dy” = 1 and x? — dy? = 
—1. 


Find the solutions of Pell’s equation from the least positive solution (see Theorem 13.12). 


Congruent Numbers 


In Section 13.1, we showed that all Pythagorean triples can be found by determining 
the rational points on the unit circle. Finding all Pythagorean triples is just one of many 
problems in number theory that can be studied by finding the rational points on an 
algebraic curve. We study another such problem in this section. 


The positive integer N is called a congruent number when there is a rational right 
triangle with area N. By a rational right triangle, we mean a triangle that has rational side 
lengths. Similarly, by an integer right triangle, we mean a triangle whose side lengths 
are integers. Recall that if x, y are the lengths of the legs of a right wiangle and z is the 
hypothenuse, then x” + y* = z* and the area of the wiangle is xy /2. Consequently, the 
positive rational number N is a congruent number if and only there are rational numbers 
x, y and z such that x? + et ae and xy/2=N. 


Example 13.12. We see that 6 is acongruent number because it is the area of the integer 
right wiangle with sides of length 3, 4, and 5. < 


Determining which positive integers are congruent numbers is known as the con- 
gruent number problem. The earliest known discussion of this problem is found in an 
anonymous Arabian manuscript written in 972. This manuscript tells us that early Arab 
mathematicians knew of 30 different congruent numbers. The smallest of these are 5, 
6, 14, 15, 21, 30, 34, 65, and 70; the largest is 10,374. In the 13th century, Fibonacci 
demonstrated that 7 is a congruent number. Furthemore, he stated, but did not prove, 
that no square is a congruent number. (By a square we mean the square of a positive 
integer.) In the 17th century, Fermat proved that each of the integers 1, 2, and 3 is nota 
congruent number. His proof that 1 is not a congruent number established that no square 
is a congruent number, as we will soon see. 


The term “congruent number” was introduced in the eighteenth century by Euler. 
(The reason behind the terminology “congruent number” will be discussed later. The 
reader should note that the use of the word “congruent” in this terminology is not directly 
related to congruent integers or congruent triangles.) The history of the congruent number 
problem is quite extensive; more about this history can be found in [Gu94] and volume 
2 of [Di05]. Later in this section we will explain how the congruent number problem is 
related to finding rational points on certain curves. To learn more recent progress on the 
congruent number problem, the reader should consult [Ch98], [Ch06],[Co08], [Ko96], 


13.5 Congruent Numbers 561 


and [SaSa07]. Some of the exposition in this section has been based on material in 
[Co08] and [SaSa07]. 


Pythagorean triples and congruent numbers 


To begin our study of congruent numbers, we first observe that we have to consider only 
square-free integers when we look for congruent numbers. The reason for this is that 
an integer is a congruent number if and only its square-free part is a congruent number. 
(Recall, by Exercise 8 in Section 3.5, that if N is a positive integer, then it can be written 
as N = uv where u and v are positive integers; here, v is the square-free part of N). To 
see this, note that if NV is a congruent number, then there is a rational right triangle with 
area N. Scaling this rational right triangle down by a factor of u, so that the side lengths 
of the new triangle are the side lengths of the original triangle divided by wu, produces a 
rational right triangle with area v. Similarly, scaling a rational right wiangle with area v 
up by a factor of wu gives us a rational right triangle with area NV. 


Recall from Section 13.1 that the integers (a, b, c) is a primitive Pythagorean triple, 
with b even, if and only there are relatively prime positive integers m and n of opposite 
parity where m > n such that a = m? — n?, b = 2mn, and c = m” + n?. The area of this 
triangle is ab/2 = (m? — n”)mn, which is a positive integer. The connection between 
Pythagorean wiples and congruent numbers is made clear by the following theorem, 
which shows that every congruent number arises from a Pythagorean triple. 


Theorem 13.13. If N is a square-free positive integer, then N is a congruent number 
if and only if there is a positive integer s such that s*N is the area of a primitive right 
wiangle. Consequently, a square-free integer N is a congruent number if and only if there 
are relatively prime integers m and n of opposite parity and a positive integer s so that 
s2N =mn(m +n)(m —n). | 


Proof. Suppose that N is a square-free positive integer that is a congruent number. Then 
N is the area of a rational right triangle with sides of length A, B, and C. Let s be the least 
common multiple of the denominators of the rational numbers A, B, and C. It follows 
that (s A, sB, sC) is Pythagorian triple and the right wiangle with sides of these lengths 
has area s*N. 


We will show that (s A, sB, sC) must be a primitive Pythagorian wiple. To see this, 
assume that M|sA, M|sB, and M|sC where M is a positive integer. We will show that 
M = 1. Observe that (sA/M, sB/M,sC/M) is a Pythagorean triple and that the area 
of the corresponding right wiangle is s*N / M7. Because this area is an integer, we know 
that M?|s?N. As N is square-free, it follows that M2|s?, and by Exercise 43 in Section 
3.5, it follows that M|s. Hence, there is an integer t such that s = Mt andtA, tB, tC are 
positive integers. As s is the least common multiple of the denominators of A, B, and C, 
t must be a multiple of these denominators, and t < s; this implies that s = t and M = 1. 


We have already established the converse in our previous discussion. That is, if there 
is a positive integer s such that s?N is the area of a primitive right wiangle with sides of 
lengths a, b, and c, then N is the area of a rational right triangle with sides of lengths 
a/s, b/s, and c/s. 
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To conclude the proof, we recall that a primitive right triangle has sides of length 
m? — n?, 2mn, and m? + n? where m and n are relatively prime positive integers of 
opposite parity. This means that the area of this triangle is (1/2)(m? — n”)(2mn) = 


mn(m + n)(m —n). Pl 


Theorem 13.13 provides a way to find congruent numbers. More specifically, we 
take the square-free part of (m? — n*)mn as m and n run through pairs of integers m and 
n of opposite parity with m > n to generate congruent numbers. This process is begun 
in Table 13.2, which expands the table of primitive Pythagorean triples in Table 13.1 to 
include areas and the square-free part of these areas. Theorem 13.13 tell us that if N is 
a congruent number, it will show up in the last column of a row if we extend this table 
far enough. However, we may have to wait a long time before a particular square-free 
congruent number shows up; there is no way to know beforehand how long we will have 
to wait. We also note that 210 appears twice in the last column of Table 13.2. This means 
that it is the square-free part of the area of the triangles corresponding to two different 
Pythagorean triples. We will return to this observation later in this section. 


The following example illustrates the difficulty of using this approach to show that 
a positive integer is a congruent number. 


Example 13.13. The integers 5, 7, and 53 are all congruent numbers, as we will show. 
Looking at Table 13.2, we see that 5 is a congruent number, as it is the square-free part 
of the area of the primitive right triangle with sides of length 9, 40, and 41, which has 
area 180 = 625. Scaling this triangle by dividing the length of each side by 6, we obtain 
a right triangle with sides of length 9/6 = 3/2, 40/6 = 20/3, and 41/6 with area 5. 


We have not included enough rows in Table 13.2 for 7 to appear in the last column. 
However, 7 would appear if we extended the table far enough to include the values m = 16 
and n = 9, which produce a primitive right triangle with sides of length 175, 288, and 
337. The area of this triangle is 25,200 = 60? - 7. It follows that 7 is a congruent number; 
scaling gives us a right triangle with sides of length 175/60 = 35/12, 288/60 = 24/5, 
and 337/60 with area 7. 


m|n | x=m*—-n? | y=2mn =m? +n? (m2 —n)mn | square-free part | 
2 1 3 4 5 6 
3 2 5 12 13 30 
4 1 15 8 17 60 
4 3 7 24 25 84 
5 2 21 20 29 210 
5 4 9 40 41 180 
6 1 35 12 37 210 
6 | 5 11 60 61 330 


Table 13.2 Some primitive Pythagorean triples and the congruent numbers they produce. 
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We also do not see 53 as an entry in the last column of Table 13.2. An extended 
version of this table would have to be huge to show that 53 is a congruent number. The 
first time 53 appears as the square-free part of the area of a primitive Pythagorean triple 
produced is for m = 1,873,180,325 and n = 1,158,313,156. The area of the associated 
triangle is (297,855,654,284,978,790)2 - 53. < 


The following theorem, proved by Fibonacci, can help find congruent numbers. It 
is also a useful tool in many proofs. 


Theorem 13.14. Suppose that a and b are relatively prime positive integers of opposite 
parity with a > b. When any three of a, b, a + b, and a — b are squares, the fourth of 
these numbers equals s*N where N is a congruent number and s is an integer. 7 


Proof. Whena and bare relatively prime positive integers of opposite parity anda > b, 
it follows that (a2 — b*, 2ab, a? + b*) is a primitive Pythagorean triple. The primitive 
right triangle corresponding to this triple has area (a2 — b?)ab = (a + b)(a — b)ab. Of 
the four cases to consider, we will only consider the case when a, b, and a + b are 
squares; we leave the other three cases as an exercise. 


When a, b, anda + bare squares, it follows that (a + b)ab is asquare. Consequently, 
M =./(a + b)ab is a positive integer and the area of the triangle corresponding to our 
Pythagorean wiple is M?(a — b). This means that a — b is the area of a rational right 
wiangle that has legs of lengths (a2 — b?)/M and 2ab/M. Now lets be the least common 
multiple of the denominators of the lengths of these legs. It then follows thata — b = s*N 
where N is a congruent number, completing the proof in this case. 2 


We now explain how Theorem 13.14 can be used to find congruent numbers, starting 
with primitive Pythagorean triples. If (x, y, z) is a primitive Pythagorean triple, then 
x and y are relatively prime positive integers of opposite parity. As the reader should 
verify, this means that x? and y* are relatively prime integers of opposite parity. We also 
note that x”, y2, and x + y” =z” are all squares. By Theorem 13.14, if x2 > y?, we 
see that x* — y* = s?N where N is a congruent number, while if x” < y?, we see that 


y* — x? =57N where N is acongruent number. The next example illustrate this process. 


Example 13.14. Starting with the Pythagorean triple (x, y, x) = (3, 4, 5), we can find 
a congruent number using the process we have just described. We have x” = 9, y? = 16, 
x? + y* =25, y* — x* =7. This means that 7 is a congruent number, as it is square-free. 
Similarly, beginning with the Pythagorean triple (x, y, z) = (5, 12, 13), we have x? = 25, 
y? = 144, x2 + y* = 169, and y* — x = 119. We conclude that 119 is a congruent 
number, as it is square-free. < 


Determining the Smallest Congruent Number 


In Examples 13.12 and 13.13, we showed that 5, 6, and 7 are congruent numbers. As we 
mentioned earlier, Fermat showed that none of 1, 2, or 3 is a congruent number. We also 
know that 4 is not a congruent number, for if 4 were a congruent number, (1/2)74 = 1 
would also be one. Hence, 5 is the smallest integer that is a congruent number. 
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We now show that no square can be a congruent number. This, of course, shows that 
1 is not a congruent number, as it is a square. We leave the proofs that 2 and 3 are not 
congruent numbers as exercises at the end of this section. 


Theorem 13.15. The area of a rational right triangle cannot be a square. rT 


Proof. Weuse infinite descent to prove the theorem. To begin, suppose that there exists 
a rational right triangle with an area that is a square. By multiplying each side by the 
least common multiple of the demoninators of the sides, we obtain a integer right triangle 
with an area that is a square. When we divide the sides of the integer right triangle by 
the greatest common divisor of the lengths of its three sides, we obtain a primitive right 
wiangle. So, it follows that the set S of primitive right triangles that have a square as their 
area is nonempty. By the well-ordering property, applied to the squares of the lengths 
of the hypotenuses of elements of S, there is a triangle in § with hypotenuse of shortest 
length. 


Now suppose that the primitive Pythagorean triple corresponding to this wiangle 
is (m2 — n2, 2mn, m2 +n”), where m and n are relatively prime positive integers of 
opposite parity and m > n. The area of this triangle is 


(m? — n’)mn =(m+n)(m —n)mn. 


As m and n are relatively prime, the reader can verify that the factors m + n,m —n,m, 
and n are pairwise relatively prime. So, because (m + n)(m — n)man is a square, each of 
the four factors are squares. We let m + n = a”,m —n =b?,m =c?, and n = d’, where 
a, b,c, and d are integers. Note that a and b are relatively prime odd integers (as m andn 
have opposite parity), (a + b”)/2 = m, and the length of the hypotenuse of this triangle 
is m? +n? =c* +d‘. 


Observe that 
2d? =a? —b? =(a—b)(a +b). 


Note that both a — b and a + b are even (as a and b are odd) and that a common 
divisor of them divides both (a + b) + (a — b) = 2a and (a + b) — (a — b) = 2b. Hence, 
(a —b,a+b) | 2(a, b) =2, so that (a — b,a +b) =2. This, and the equation 2d? = 
(a — b)(a +b), implies (as the reader should verify) that one of the two integers a — b 
and a + b is of the form 2u2 and the other is of the form v2 where (u, v) = 1. 


Because 
(a+b)+(a—b) =2a=2u’ + v’, 


we see that v? must be even. Hence, v is even and v = 2w for some positive integer 
w. Hence, v2 = 4w? and a = u2 + 2w”. Likewise, we find that b = +(u2 — 2w?) and 
d = 2uw. Consequently, 


m = (a + b*)/2 = ((u? + 2w*)? + (u? — 2w*)*)/2 = u4 + 4%. 


It follows that (u?, 2w, c) is a primitive Pythagorean triple and the corresponding 
triangle has area (u - 2w”)/2 = (uw)? and hypotenuse of length c. Because c < c* + d4# 
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(which follows because c is a positive integer), we have produced another primitive right 
triangle whose area is a square with a hypotenuse that is shorter than what we stated was 
the shortest hypotenuse. This completes the proof by infinite descent. a 


Arithmetic Progressions of Three Squares and Congruent Numbers 


We will now study a problem that is equivalent to the congruent number problem, but 
which, at first blush, does not seem to be related to it. This problem asks: Which positive 
integers are the common difference of an arithmetic progression of three squares of 
integers? For example, examining the sequence of squares 


1,4, 9, 16, 25, 36, 49, 64, 81, 100, 121, 144, ..., 


we observe that that 1, 25, 49 is such a sequence of three squares with common difference 
24. In his 1225 book Liber Quadratorum, Fibonacci called an integer n a congruum 
if there is an integer x such that x? +n are both squares. Consequently, the integer n 
is a congruum if and only if there is an integer x such that x2 —n, x”, x2 +n is an 
arithmetic progression of three squares with common difference n. (Equivalently, 7 is a 
congruum if and only if there is a solution p, q, r of the two simultaneous diophantine 
equations g? — p2 = N and r2 — gq? = N.) The word congruum comes from the Latin 
word congruere, which means to meet together, as do three squares in an arithmetic 
progression. 


Fibonacci was concemed with arithmetic progressions of three squares of nonzero 
integers. What if we broaden our study to include arithmetic progressions of three rational 
numbers? Note that a”, b?, c? is an arithmetic progression of three squares of rational 
numbers with common difference N if and only if (sa), (sb), (sc)7 isa progression of 
three rational squares with common difference s*N whenever s is an integer. So, if we 
find an arithmetic progression of three squares with with common difference s2N where 
N is square-free, we can obtain an arithmetic progression of three rational squares with 
N as its common difference by dividing each term by s?. 


We now show that asking whether a positive integer N is a congruent number is 
the same as asking whether it is the common difference of an arithmetic progression of 
three squares. First, suppose that the positive integer N is a congruent number. Then 
there are positive integers a, b, and c such that a” + b* = c? and ab/2 = N. Note that 
(a + b)? =a? + 2ab + b? = (a? + b?) + 2ab =c? + 2ab and (a — b)? =a? — 2ab + 
b? = (a? + b*) — 2ab = c? — 2ab. Consequently, (a — b)*, c?, (a + b)? is an arithmetic 
progression of three squares with common difference 2ab = 4(ab/2) = 4N. Dividing 
all the terms of this arithmetic progression by 4 produces the arithmetic progression 
((a — b)/2)?, (c/2)”, ((a + b)/2)2. This is an arithmetic progression of three squares 
of rational numbers with common difference N. We illustrate this construction with an 
example. 


Example 13.15. In Example 13.13, we showed that 5 is a congruent number because 
it is the area of the right wiangle with sides of lengths a = 3/2, b = 20/3, and c= 
41/6. Hence, ((3/2) — (20/3)/2)* = (31/12), ((41/6)/2)* = (41/12)2, and ((3/2) + 
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(20/3))? = (49/12)? is an arithmetic progression of three squares with common differ- 
ence 5. < 


Now suppose that we have an arithmetic progression of three squares of rational 
numbers x” — N, x2, x2 + N. How can we construct a rational right triangle with area 
N? If we leta = V/x2+ N — Vx2-—N, b= Vx2+N + Vx2—N, and c = 2x, then 
a, b, and c are rational numbers, and we find that a2 + b* = (./x2 + N — /x2 — N)2 + 
(V/x2 + N + JS x2 — N)? = 4x? = c? andab/2 = (VA x2 + N — J/x2 — N)\(V/x2 + N+ 
J/x?2 — N)/2 = ((x2 + N) — (x2 — N))/2 =N. Hence, N is a congruent number. We 
illustrate this construction with an example. 


Example 13.16. We have observed that 1, 25, 49 is an arithmetic progression of three 
squares with common difference 24 = 2” - 6. We divide each term of this arithmetic 
progression by 2? = 4 to obtain the arithemtic progression 1/4, 25/4, 49/4 of three 
rational squares with common difference N = 6, which is square-free. To find a rational 
right wiangle with sides of lengths a, b, andc and area 6, we use the value x” = 25/4 in our 
construction. This produces the right triangle with sides a, b, c where a = ,/ (5/2)? + 6 — 
JV (5/2)? — 6 = f49/4 — /1/4 = 7/2 — 1/2 = 3, b = (5/2)? +6 + /(5/2)2 —6 = 
V/49/4 + /1/4 = 7/2 + 1/2 = 4, and c = 2x = 2(5/2) =5. < 


We summarize our observations in the following theorem. 


Theorem 13.16. The positive integer NV is a congruent number if and only if N is the 
common difference of an arithmetic progression of three squares of rational numbers. 
a 


We have seen that the congruent number problem is equivalent to determining which 
positive integers are congruum. This equivalence is what is behind the use of the term 
“congruent number,” as the word “congruent” also comes from the Latin word congruere. 


Congruent Numbers and Elliptic Curves 


According to the definition, a positive integer N is a congruent number if there is a 
solution in positive rational numbers (a, b, c) to the simultaneous pair of diophantine 
equations a” + b* = c? and ab/2 = N. We have also seen that N is a congruent number 
if there is a solution in rational numbers (7, s, t) to the simultaneous pair of diophan- 
tine equations s? — r? = N and t? — s* = N. However, there is a third condition that 
characterizes congruent numbers in terms of rational solutions of a single diophantine 
equation. 


Suppose that N is a congruent number and that a, b, and c are positive rational 
numbers with a2 + b? = c* and ab /2 = N. We will show that the triple (a, b, c) cor- 
responds to a rational point on a certain curve. To find this curve and to set up the 
correspondence, first set u = c — a, so that c=a+tu. We note that u > 0, because 
b? =c? — a* = (c+.a)(c — a) = (c + a)u. Next, we substitute a + u for c in the equa- 
tion a? + b? = c?, which gives us a” + b* = a? + 2au + u. We now simplify and re- 
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arrange terms to see that 2au = b? — u”. Next, we divide both sides of the equation 
ab/2=N by b (note that b 4 0 because ab = 2N) to see that a = 2N/b. When we 
substitute 2N’/b for a in the equation 2au = b? — u?, we obtain 


4nu/b= b* — u?. 


We then multiply both sides of this last equation by b/u? (note that u 4 0; if u = 0, then 
a =c, which would imply that b = 0) to obtain 


4N /u? = (b/u)? — (b/u). 
Next, we multiply both sides by N, yielding 
(2N?/u)? = (Nb/u)? — N?(Nb/u). 


We can now conclude that the point (x, y) where x = Nb/u = Nb/(c — a) and y = 
2N2/u = 2N7/(c — a) lies on the curve 


y?=x3— N2x 
with both x and y positive because c — a > 0. 


Now suppose that (x, y) is arational point on the curve y” = x? — N2x. We will find 
a triple of positive rational numbers (a, b, c) with a? + b? = c? and ab/2 = N. Observe 
that if a, b, and c are rational numbers with x = Nb/(c — a) and y = 2N?/(c — a), then 


x/y = (Nb/(c — a))/(2N?/(c — a)) =b/2N. 


So, we take b = 2Nx/y. Because we want ab/2 = N, it follows that a = 2N/b. This 
tells to take 


a =2N/(2Nx/y) = y/2x = y"/2xy = (x° — N?x)/2xy = (x? — N*)/y. 
We see, after simplification, that 
a? + b? = ((x? — N*)/y)? + (2Nx/y)” = (x? + N*)’/y”. 
Taking the positive square root, we find that we should take c = (x? + N”)/y. 
We now summarize what we have shown. 

Theorem 13.17. Suppose that N is a congruent number. Then there is a bijection 
between the set of triples of positive rational numbers (a, b, c) with a? + b* = c? 
and ab/2 = WN and rational points (x, y) with x and y both positive on the curve 


y? = x? — N*x. Under this bijection, the triple (a, b, c) is mapped to the point (x, y) 
where 


Nb i= 2N? 
Coa c—a 


x= 


and the point (x, y) on the curve y* = x? — N?x is mapped to the triple (a, b, c) where 


x? — N2 2Nx x? + N? 
a= , b= —, c= ——.. 


ba 2 be 
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The next theorem is an immediate consequence of Theorem 13.17. 


Theorem 13.18. The positive integer N is a congruent number if and only if there is a 
rational point (x, y) with both x and y positive on the curve y? = x? — N?x. 7 


The next two examples illustrate how to use Theorem 13.17. 


Example 13.17. The primitive right triangle with sides 3, 4, and 5 has area N = 6. 
Under the correspondence in Theorem 13.17, the triple (3, 4, 5) corresponds to the point 
(x, y) = ((6- 4)/(5 — 3), (2 - 6)/(5 — 3)) = (12, 36) on the curve y? = x3 — 6x = 
x? — 36x. < 


Example 13.18. Table 13.2 shows us that 210 is the area of a right triangle with 
sides of length 21, 20, and 29 and the area of a right wiangle with sides of length 35, 
12, and 37. By Theorem 13.17, we know that these two rational right triangles each 
correspond to rational points on the curve y* = x? — 210*x. Under the correspondence 
in this theorem, (21, 20, 29) is mapped to the point (x, y) = ((210- 20)/(29 — 21), (2- 
2107) /(29 — 21)) = (525, 11025) and (35, 12, 37) is mapped to the point (x, y) = 
((210 - 12)/(37 — 35), (2 - 2107) /(37 — 35)) = (1260, 44100). < 


Curves of the form y? = x3 — N*x that have arisen in our study of congruent 
numbers are examples of elliptic curves. More generally, an elliptic curve is the set of 
points (x, y) that satisfy y? = x? + ax + b where a and b are real numbers. Elliptic 
curves played an essential and surprising role in the proof of Fermat’s last theorem. 
Elliptic curves are also the basis of a powerful factorization method. Furthermore, there 
is an important public key cryptosystem based on elliptic curves. We will only briefly 
address some of the properties of elliptic curves here. The study of elliptic curves is 
fascinating and leads to many unsettled conjectures which have important consequences. 
The interested reader can learn much more about elliptic curves by consulting [Wa08]. 


Adding Points on an Elliptic Curve A key feature of elliptic curves is that we can 
use algebraic techniques to construct new points on them using points we already know. 
In particular, given two points on an elliptic curve C, we can find a new point on C 
by computing their sum, where this sum is defined using the geometry of the curve, as 
explained below. (As we shall see, this sum is different from the point whose coordinates 
are the sums of the respective coordinates of the two points). To see how we define this 
sum, suppose that P; = (x1, y;) and P) = (x, y2) with x; 4 x, are two points on the 
elliptic curve y* = x3 + ax + b. To define their sum P, + P, geometrically, we draw 
the line 2 connecting P, and P,. We will show that this line intersects C in a third point 
P;. The sum P; + P) is then defined to be the point P3, which is obtained from P; by 
changing the sign of the y-coordinate. Geometrically, this corresponds to reflecting P; 
across the x-axis. (A key reason for defining the sum this way is to make it associative; 
see [Wa08].) We illustrate this procedure in Figure 13.2. 


To develop an algebraic formula for P; = P; + P», first note that the slope of 
the line 2 through P, and P, is m = (yz — y,)/(x2 — x1) and that the equation of @ is 
y =m(x — x1) + y;. To determine the third point of intersection of 2 and € (P, and 
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Figure 13.2 Addition of two points with distinct x-coordinates on an elliptic curve. 


P, are the other two points of intersection), we substitute the value for y given by the 
equation of £ into the equation for C. This gives us 


(m(x — x1) + y))* =x3 +ax +b. 


From this equation, we see that if the point (x, y) is a point of intersection of £ and 
C, then x is a root of a cubic equation for x, obtained by subtacting the left-hand 
side of the last displayed equation from the right-hand side. Hence, the coefficient of 
x” in this cubic equation is —m?. Now, recall that if r), r2, and r3 are the roots of a 
cubic polynomial x3 + a)x? + a,x + ap, then rj +r. +73 = —a. Our third point of 
intersection of £ and Cis P} = (—x3, y3). Consequently, we know that x, + x2 — x3 = m?, 
so that x3 = m* — x, — Xp. It follows that y3 = m(x, — x3) — y}. 


We now consider the case when when P, = P>. Note that as P, approaches P, 
on €, the line between P, and P, approaches the tangent line to © at P;. To define 
P, + P> =2P), we first draw the tangent line £ to € at P. This line intersects the curve 
in a point P’. We change the sign of the y-coordinate to produce the point P3. (We can 
use implicit differentiation to find the slope of C at the point P,.) We leave it to reader to 
complete the details of this case; the resulting algebraic formula is given in the statement 
of the next theorem. 


Before we give a formula for the sum of two points P; and P> on an elliptic curve 
that includes all possible cases, we need to introduce the point at infinity, denoted by 
oo. This point can be thought of as a point sitting both on top and at the bottom of the 
y-axis. For example, when x, = x2 and y, # yo, £ is a vertical line that is considered to 
intersect the elliptic curve at 00. When we reflect this point across the x-axis, we obtain 
this same point oo. 


We can define the sum of two points on an elliptic curve for all possible values of 
these points. 
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Definition. Addition Formula for Elliptic Curves. Suppose that P, = (x;, y,) and 
P> = (9, y9) are points on the elliptic curve y? = x? + ax +b. 


(i) When P, + P, and neither is the point at infinity, if x; 4 x, define 
Pijt+ P= (m? — X1 — X2, m(x,; — x3) — y1) 
where m = (y) — y1)/(x2 — X;) and if x; = x2, but y; F yo, define 


P, + P) = 00. 


(ii) When P, = P) is not the point at infinity, if y; = y. 4 0, define 
Pi + Pp =2P\= (m2 — 2x1, m(x; — x3) — yy) 
where m = (3x? + a)/2y, and define 
Pi + P23 = 
if y; = y2 = 0. 
(iii) Finally, define 
P+o=P 


for all points P on the elliptic curve (including oo). 


Addition of points on an elliptic curve, as we have defined it, satisfies commutativity, 
P, + P) = P.+ P, for all points P, and P,; existence of identity, P + 00 = P for 
all points P; existence of inverses, for all points P, there exists a point P’ such that 
P + P’= 00; and associativity, (P; + P2) + P3 = P, + (P2 + P3) for all points P,, Po, 
and P3 . (See [Wa08] for proofs of these properties.) 


Note that given two distinct rational points P; and P, on an elliptic curve, their sum 
is again a rational point, as the reader should verify from the definition. Similarly, given a 
rational point P on an elliptic curve, its algebraic double 2P, and all points of the form 
KP, where k is a positive integer, are also rational points on this curve. Hence, when 
we know one or more rational points on the elliptic curve y = x> — N2x where N is 
a positive integer, we can use addition of points to construct other rational points. Each 
rational point we find corresponds to a rational right triangle with area NV. 


The following example shows how to use algebraic doubling to find additional right 
triangles with a given area. 


Example 13.19. In Example 13.17, we found the rational point P = (x, y) = (12, 36) 
on the elliptic curve y? = x3 — 36x corresponding to the rational right triangle with sides 
3, 4, 5. We can find another rational right triangle with area 6 by finding the rational right 
triangle that corresponds to 2P, the algebraic double of (12, 36) on this elliptic curve. 


To compute 2P, we first find the slope of the tangent line £ to the curve at (12, 36). 
This slope is m = (3 - 127 — 36)/(2 - 36) = 11/2. We use the value of the slope to find 
that x, = m? — 2x, = (11/2)? — 2-12 = 25/4. Next, we use the value of x, to find 
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that m(x, — x3) — yy = 11/2(12 — 25/4) — 36 = 11/2 - 23/4 — 36 = 253/8 — 288/8 = 
—35/8. This means that 2P = (25/4, —35/8). 


To use the correspondence in Theorem 13.17, we want a point with positive y- 
coordinate. Note that we can change the sign of the y-coordinate to get the point 
(25/4, 35/8) on the curve. By Theorem 13.17, we find that the triple (a, b, c) correspond- 
ing to (25/4, 35/8) has a = ((25/4)* — 36)/(35/8) = 7/10, b = (2 - 6 - 25/4)/(35/8) = 
120/7, and ¢ = ((25/4)* + (35/8)*) /(35/8) = 1201/70. It follows that that the rational 
right wiangle with sides of length 7/10, 120/7, and 1201/70 also has area 6. This pro- 
cedure can be iterated to find additional rational right triangles with area 6 (see Exercise 
6 in the Computations and Explorations). < 


Using the doubling formula illustrated in Example 13.19, it can be shown that when 
N is acongruent number, there are infinitely many different rational triangles with area 
N. A proof of this result, using properties of rational points on elliptic curves beyond 
the scope of this book, can be found in [Ch06]. 


The next example shows how to use the two rational right triangles with area N to 
find additional rational right wiangles with the same area. 


Example 13.20. In Example 13.18, we found two rational points on the elliptic curve 
y? = x3 — 210*x. These points are P, = (525, 11025), which corresponds to the rational 
right triangle with side lengths 21, 20, and 29, and P, = (1260, 44100), which corre- 
sponds to the rational right triangle with side lengths 35, 12, and 37. We can find another 
rational right triangle with area 210 by computing P; + P,. To find this sum, first note that 
m = (44100 — 11025)/(1260 — 525) = 45. Consequently, x3 = m? — x, — x, = 45% — 
525 — 1260 = 240 and y3 = m(x, — x3) — yy = 45(525 — 240) — 11025 = 1800. We find 
that P; + P, = (240, 1800). 


By Theorem 13.17, (240, 1800) corresponds to the triple (a, b, c) witha = (2402 — 
2107) /1800 = (57600 — 44100)/1800 = 15/2, b = 2-210 - 240/1800 = 56, and c = 
(2402 + 2107) /1800 = 113/2. This means that the rational right wiangle with sides of 
length 15/2, 56, and 113/2 also has area 210. < 


An Algorithm for Congruent Numbers We conclude this section with an efficient 
algorithm for determining whether a positive integer is a congruent number. Unfortu- 
nately, it is not yet known whether this algorithm always yield the correct answer. This 
algorithm is based on a theorem proved in 1983 by Jerrold Tunnell in [Tu83]. The proof 
of this theorem is based on deep results about elliptic curves and modular forms and is 
beyond the scope of this book (see [Ko96] for a proof). 


Theorem 13.19. Tunnell’s Theorem. Let A,, B,, C,, and D,, where n is a positive 
integer, be the number of solutions in integers x, y, z of the equations n = 2x? + 
y? + 322”, n = 2x? + y? + 82", n = 8x2 + 2y* 4+ 6427, and n = 8x” + 2y” + 1622, 
respectively. If n is a congruent number, then if n is odd, A, = B,/2, and if n is 
even, C,, = D,,/2. Conversely, under the assumption that the Birch-Swinnerton Dyer 
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conjecture holds, if n is odd and A, = B,,/2 or if n is even and C,, = D,,/2, then n is a 
congruent number. a 


To use Tunnell’s theorem to determine whether a postive integer is a congruent 
number, we find A,, B,, C,,, and D, and check the appropriate equality. This can be 
done efficiently because these quantities can be found quickly by brute force. Tunnell’s 
theorem can tell us that an integer is not a congruent number, but it cannot itself tell us 
with certainty that an integer is a congruent number. Of course, this uncertainty would be 
removed if the Birch-Swinnerton Dyer conjecture were proved. The following example 
illustrate the use of Tunnell’s theorem. 


Example 13.21. Tunnell’s theorem can confirm Fermat’s result that 3 is not a congruent 
number. We note that A; = 4 and B; = 4, as the solution in integers of both 3 = 2x? + 
y? + 322? and 3 = 2x7 + y? + 82” are x = +1, y = +1, z = 0. Because A3 # B;/2, it 
follows that 3 is not a congruent number. 


The conjectural part of Tunnell’s theorem predicts that 34 is a congruent number. 
To see this, note that C34 = 4 because the solutions in integers x, y, z of 34 = 8x2 + 
2y? + 642? are xx = +2, y=+1, z=0 and D34 = 8 because the solutions in integers 
x,y, z Of 34 = 8x? + 2y? + 162? are x = +2, y= +1, z=0, and x = +0, y = 43, 
z = +1. Hence, C34 = D34/2. So, under the assumption that the Birch-Swinnerton Dyer 
conjecture holds, it follows that 34 is a congruent number. We leave it to the reader 
to confirm this by finding a rational right triangle with area 34. (See Exercise 2 in the 
Computations and Explorations). < 


EXERCISES 


1. Show that the area of a primitive Pythagorean triangle is even. 


. Find the congruent numbers that appear in the last column of an extended version of Table 


13.2 that includes rows corresponding to m = 7 and n = 2, 4, 6. 


. Find the congruent numbers that appear in the last column of an extended version of Table 


13.2 that includes rows corresponding to m = 8 and n = 1, 3, 5, 7. 


. Find the congruent numbers that appear in the last column of an extended version of Table 


13.2 that includes rows corresponding to m = 9 and n = 2, 4, 8. 


. Find the square-free congruent number corresponding to the area of the primitive right triangle 


corresponding to these Pythagorean triples. 
a) (15, 8, 17) b) (7, 24, 25) c) (21, 20, 29) d) (9, 40, 41) 


. Find the square-free congruent number corresponding to the area of the primitive right triangle 


corresponding to these Pythagorean triples. 
a) (35, 12, 37) b) (11, 60, 61) c) (45, 28, 53) d) (33, 56, 65) 


7. Show that there are infinitely many different congruent numbers. 


8. Complete the proof of Theorem 13.14 by dealing with the three cases not addressed in the 


text. 


* 


14. 


15. 
16. 
17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 
25. 
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. Use the fact that 1 is not a congruent number to show that /2 is not rational. (Hint: Consider 


the right triangle with two legs of length /2.) 


. Use the fact that 2 is not a congruent number to show that 2 is not rational. (Hint: Consider 


the right triangle with two legs of length 2.) 


. Use the method of infinite descent to show that no integer that is twice a square is a congruent 


number. 


. Prove that 3 is not a congruent number. (Hint: Use Theorem 13.14. Three of the four cases 


are straightforward, but the fourth is quite complicated.) 


. Explain why these integers cannot be the common difference of an arithmetic progression of 


three squares. 
a) 1 b) 8 c) 25 d) 48 


Explain why these integers cannot be the common difference of an arithmetic progression of 
three squares. 


a) 2 b)9 c) 32 d) 300 
Find a rational number such that r? + 7 are both squares of rational numbers. 
Find a rational number such that r? + 15 are both squares of rational numbers. 


Construct a right triangle with rational sides with area 21 starting with the arithmetic pro- 
gression of three squares 289, 625, 961 with common difference 336. 


Construct a right triangle with rational sides with area 210 starting with the arithmetic 
progression of three squares 529, 1369, 2209 with common difference 840. 


In this exercise, we show that finding all arithmetic progressions of three rational squares is 

equivalent to finding all rational points on the circle x? + y* = 2. (See Exercise 21 in Section 

13.1 for a parameterization of these points.) 

a) Show that if a”, b, c* is an arithmetic progression of positive integers, then (a/b, c/b) is 
a rational point on the circle x7 + y? = 2. 

b) Show that if x? + y? = 2, where x and y are rational, and ¢ is anonzero integer, then (tx), 
t?, (ty)? is a progression of three rational squares. 


Use the mapping in Theorem 13.17 to find the rational point on the elliptic curve y? = 
x3 — 25x corresponding to the rational right triangle with sides of lengths 3/2, 20/3, and 
41/6. 


Use the mapping in Theorem 13.17 to find the rational point on the elliptic curve y* = 
x3 — 49x corresponding to the rational right triangle with sides of length 35/12, 24/5, and 
337/60. 


Show that there are no rational points (x, y) with x and y positive on the elliptic curve 
y? =x? — x. (Hint: Use the fact that 1 is not a congruent number.) 


Show that there are no rational points (x, y) with x and y positive on the elliptic curve 
y? = x3 — 4x. (Hint: Use the fact that 2 is not a congruent number.) 


Complete the derivation of the algebraic doubling formula for a point on an elliptic curve. 


Use algebraic doubling, starting with the point on the elliptic curve y? = x3 — 25x found in 
Exercise 20, to find a rational right triangle with area 5 different than the one with sides of 
length 3/2, 20/3, and 41/6. 
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26. Use algebraic doubling, starting with the point on the elliptic curve y* = x3 — 49x found in 
Exercise 21, to find a rational right triangle with area 7 different than the one with sides of 
length 35/12, 24/5, and 337/60. 


27. Add the points (12, 36) and (25/4, —35/8) on the elliptic curve y? = x3 — 36x, and use 
Theorem 13.17 to find a rational right triangle with area 6 different from the ones with side 
lengths of 3,4, and 5 and 7/10, 120/7, and 1201/70. 


28. Add the points (240, 1800) and (1260, 44100) on the elliptic curve y? = x3 — 210", and 
use Theorem 13.17 to find a rational right triangle with area 210 different from the three 
mentioned in Example 13.20. 


29. Find two arithmetic progressions of three rational squares with common difference 6 other 
than the arithmetic progression (1/2)”, (5/2)?, (7/2). 


30. Find two different arithmetic progressions of three rational squares with common differ- 
ence 21. 


31. Use Tunnell’s theorem to show that these integers are not congruent numbers. 


a) 1 b) 10 c) 17 
32. Use Tunnell’s theorem to show that these integers are not congruent numbers. 
a) 2 b) 10 c) 126 


33. Assuming the Birch-Swinnerton Dyer conjecture, use Tunnell’s theorem to show that 41 is a 
congruent number. 


34. Assuming the Birch-Swinerton Dyer conjecture, use Tunnell’s theorem to show that 157 is a 
congruent number. 


35. Euler conjectured, but did not prove, that ifn is a square-free positive integer andn = S, 6or 
7 (mod 8), then 7 is a congruent number. Assuming the Birch-Swinnterton Dyer conjecture, 
use Tunnell’s theorem to prove this conjecture. 


A triangle is called a Heron triangle if the lengths of its sides and its area are all rational. These 
triangles are named after Heron of Alexandria, who showed that the area of a triangle with sides 
of length a, b, c is \/s(s — a)(s — b)(s — c) where s = (a + b + c)/2. Recall that if 0 is the angle 
formed by the sides of length a and 5, then the area equals ab sin 6/2. Also recall that by the law 
of cosines, c2 = a? + b? — 2ab cos 0. 


36. Show that if a triangle has sides of length 13, 14, 15, then it is a Heron triangle. 


37. Show that if 1 is positive integer, then there is a Heron triangle of area n. (Hint: Glue 
together two triangles with sides of length 2, |r — (1/r)|, |s — (1/s)| where r = 2n/(n — 2) 
and s = (n — 2)/4, and scale the triangle appropriately.) 


38. Show that if a Heron triangle has side lengths x, y, z, and the angle between the sides of 
length x and y is 9, then cos 6 and sin 6 are rational numbers and the point (sin 9, cos 9) is 
2t 12-1 


arational number ¢ such that sin 0 = 741 and cos 0 = Pat 


Ob 4 a 
5 t2417 
2n and a? + b? = 2ab(55) = c?. (When ¢t = 1, a t-congruent number is the same as a congruent 
number.) 


We call an integer a t-congruent number if there are rational numbers a, b, c such that ab( 


39. a) Suppose that ¢ is a rational number. Show that a positive integer n is a t-congruent number 
if and only if both n/t and ¢? + 1 are rational squares or if there is a rational point (x, y) 
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with y 4 0 on the curve y2=(x- T(x + nt). (Hint: Show that if a, b, and c satisfy the 
equations in the definition and b ¥ c, then (a?/4, (ab — ac*)/8) lies on this curve. When 
(x, y) lies on the curve and y £0, let a = |(x* + y”)/y|, b= |(x — (n/t))(x + nt)/y|; 
and when y = 0, leta = 2,/n/t, b=c = J/n(t2 + 1)/t.) 

b) Show that the point (—6, 30) lies on the curve y? = (x — 7)(x + nt) when n = 12 and 
t= 4/3. 

c) Use part (a) to show that 12 is a 4/3-congruent number and find the lengths of the sides 
and the area of a triangle with rational side lengths and area 12. 

d) Conclude from Exercise 31 that if n is a positive integer, then there is a rational number 
t such that n is a t-congruent number. 


. This exercise introduces another problem that can be solved by finding rational points on 


an elliptic curve. Consider a collection of balls arranged in a square pyramid with x square 
layers, with one ball in the top layer, four in the layer below that, and so on, with x? in the 
bottom layer. 


a) Show that we can rearrange the balls in the pyramid into a single square of side y if and 
only if there is a positive integer solution (x, y) to y2=x(x + 1I(2x+ 1/6. 

b) Show that if 1 < x < 10, itis possible to arrange the balls into a square pyramid only when 
x=1. 

c) Show that both (0, 0) and (1, 1) lie on the curve y? = x(x + 1)(2x + 1)/6. Find the sum 
of (0, 0) and (1, 1) on this curve. 

d) Find sum of the point you found in part (c) and (1, 1). Show that this sum leads to a positive 
integer solution. 


Computations and Explorations 


1. 


Extend Table 13.2 to include rows for every pair of integers m and n of opposite parity with 
50>n>m. 


. Show that 34 is a congruent number by finding a Pythagorean triple such that the square-free 


part of the area of the corresponding triangle is 34. 


. Show that 39 is a congruent number by finding a Pythagorean triple such that the square-free 


part of the area of the corresponding triangle is 39. 


. Find the rational point on the elliptic curve y* = x3 — 53?x corresponding to the primitive 


Pythagorean triple a = m2 — n?, b = 2mn, c = m2 + n? with m = 1,873,180,325 and n = 
1,158,313, 156. 


. Find as many arithmetic progressions of three squares as you can by examining the sequence 


of squares of integers. 


. Find as many different rational right triangles as you can with area 6 by successive algebraic 


doubling of points on the elliptic curve y? = x3 — 36x. 


. Find as many different rational right triangles as you can with area 210 by successive algebraic 


doubling of points on the elliptic curve y? = x3 — 2107x. 


. Use the fact that (111, 6160, 6161), (231, 2960, 2969), (518, 1320, 1418), and (280, 2442, 


2458) are four Pythagorean triples each corresponding to aright triangle with area 341,880 = 
2? - 170,940 to find four different rational points on the elliptic curve y” = x3 — 170,9402x. 
By adding pairs of these points, find additional rational right triangles with area 170,940. 
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Programming Projects 


1; 


Given a positive integer U, extend Table 13.2 to include rows for every pair of integers m 
and n of opposite parity with U >m > n. 


. Given an elliptic curve y2 = x? + ax + b and two points on this curve, find the sum of these 


points. 


. Given the side lengths of a rational right triangle with area N, find the associated point on the 


elliptic curve y? = x? — N*x. Then use algebraic doubling to find additional rational points 
on the curve and the associated rational right wiangles with area N. 


14 The Gaussian Integers 


14.1 


| N previous chapters, we studied properties of the set of integers. A particularly appeal- 
ing aspect of number theory is that many basic properties of the integers relating to 
divisibility, primality, and factorization can be carried over to other sets of numbers. In 
this chapter, we study the set of Gaussian integers, numbers of the form a + bi, where 
a and b are integers and i = ./— 1. We introduce the concept of divisibility for Gaussian 
integers, and establish a version of the division algorithm for them. We describe what it 
means for a Gaussian integer to be prime, and develop the notion of greatest common 
divisors for pairs of Gaussian integers. Moreover, we show that Gaussian integers can 
be written uniquely as the product of Gaussian primes (taking into account a few minor 
details). Finally, we show how to use the Gaussian integers to determine how many ways 
a positive integer can be written as the sum of two squares. The material in this chapter 
is a small step into the world of algebraic number theory, the branch of number theory 
devoted to the study of algebraic numbers and their properties. Students continuing their 
study of number theory will find this fairly concrete treatment of the Gaussian integers 
a useful bridge to more advanced studies. Excellent references for the study of algebraic 
number theory include [AIWi03], [Mo99], [Po99], and [Ri01]. 


Gaussian Integers and Gaussian Primes 


In this chapter, we extend our study of number theory into the realm of complex numbers. 
We begin with a brief review of the basic properties of the complex numbers for those 
who have either never seen this material or need a brief refresher. 


The complex numbers are the numbers of the form x + yi, where i = ./—1. Complex 
numbers can be added, subtracted, multiplied, and divided, according to the following 
rule: 


(a+bi)+(c+di)=(a+c)+(b+4)i 
(a+ bi) -—(c+di)=(a-—c)+(b-a)i 
(a+ bi)(c+ di) =ac+adi + bei + bdi* = (ac — bd) + (ad + be)i 
a+ bi _atbi c—di _actbd | (—ad+be)i 
ct+di c+di c—di c?+d c2 + @? 


Note that addition and multiplication of complex numbers are commutative. 


We use the absolute value of an integer to describe the size of this integer. For 
complex numbers, there are several commonly used ways to describe the size of numbers. 
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Definition. If z =x + iy is a complex number, then |z|, the absolute value of z, equals 


lz] =x? + y?, 


zl? =x? + y’, 


and N(z), the norm of z, equals 


Given a complex number, we can form another complex number with the same 
absolute value and norm by changing the sign of the imaginary part of the number. 


Definition. The conjugate of the complex number z = a + bi, denoted by Z, is the 
complex number x — iy. 


Note that if w and z are two complex numbers, then the conjugate of wz is the product 
of the conjugates of w and z. That is, (wz) = (w)(zZ). Also note that if z =x +iy isa 
complex number, then 


zz = (x + iy)(x — iy) =x? ty? = N(). 
Next, we prove some useful properties of norms. 


Theorem 14.1. The norm function N from the set of complex numbers to the set of 
nonnegative real numbers satisfies the following properties. 

(i) N(z) is anonnegative real number for all complex numbers z. 

(ii) N(zw) = N(z)N(w) for all complex numbers z and w. 

(iii) N(z) = 0 if and only if z = 0. 
Proof. To prove (i), suppose that z is a complex number. Then z = x + iy, where x and 


y are real numbers. It follows that N(z) = x” + y? is anonnegative real number because 
both x? and y” are nonnegative real numbers. 


To prove (ii), note that 


N (zw) = (zw) (zw) = (zw) @ W) = (z2)(ww) = N(@Z)N(w), 
whenever z and w are complex numbers. 


To prove (iii), note that O = 0 + Oi, so that N(0) = 0? + 0? = 0. Conversely, suppose 
that N(x + iy) =0, where x and y are integers. Then x? + y” = 0, which implies that 
x = 0 and y = 0 because both x” and y” are nonnegative. Hence, x +iy =0+i0=0. 

a 


Gaussian Integers 


In previous chapters, we generally restricted ourselves to the rational numbers and 
integers. An important branch of number theory, called algebraic number theory, extends 
the theory we have developed for the integers to particular sets of algebraic integers. 
By an algebraic integer, we mean a root of a monic polynomial (that is, with leading 
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coefficient 1) with integer coefficients. We now introduce the particular set of algebraic 
integers we will study in this chapter. 


Definition. Complex numbers of the forma + bi, where a and b are integers, are called 
Gaussian integers. The set of all Gaussian integers is denoted by Z[i]. 


Note that if y =a + bi is a Gaussian integer, then it is an algebraic integer satisfying 
the equation 


y? —2ay + (a? +b) =0, 


as the reader should verify. Because y satisfies a monic polynomial with integer coeffi- 
cients of degree two, it is called a quadratic irrationality. Conversely, note that if a is 
a number of the form r + si, where r and s are rational numbers and @ is a root of a 
monic quadratic polynomial with integer coefficients, then a is a Gaussian integer (see 
Exercise 22.) The Gaussian integers are named after the great German mathematician 
Carl Friedrich Gauss, who was the first to extensively study their properties. 


The usual convention is to use Greek letters, such as a, 8, y, and 6, to denote 
Gaussian integers. Note that ifn is an integer, then n = n + Oi is also a Gaussian integer. 
We call an integer n a rational integer when we are discussing Gaussian integers. 


The Gaussian integers are closed under addition, subtraction, and multiplication, as 
the following theorem shows. 


Theorem 14.2. Suppose thata =x + iy and 6 = w + iz are Gaussian integers, where 
x, y, w, and Z are rational integers. Then a + 8, a — 8, anda are all Gaussian integers. 


Proof. We have a+ B=(x +iy) + (wt+iz)=(x+w)+i(y+z), a-B= 
(x +iy) — (w+ iz) = (@ — w) + i(y — 2), andaB = (x +iy)(w + iz) =xw +iyw+ 
ixz +i*yz = (xw — yz) + i(yw + xz). Because the rational integers are closed under 
addition, subtraction, and multiplication, it follows that each of a + 8, a — B, and aB 
are Gaussian integers. = 


Although the Gaussian integers are closed under addition, subtraction, and multipli- 
cation, they are not closed under division, which is also the case for the rational integers. 
Also, note that if@ =a + bi is a Gaussian integer, then N(w) = a” + b? is a nonnegative 
rational integer. 


Divisibility of Gaussian Integers 


We can study the set of Gaussian integers much as we have studied the set of rational 
integers. There are straightforward analogies to many of the basic properties of the 
integers for the Gaussian integers. To develop these properties for the Gaussian integers, 
we need to introduce some concepts for the Gaussian integers analogous to those for the 
ordinary integers. In particular, we need to define what it means for a Gaussian integer 
to divide another. Later, we will define Gaussian primes, greatest common divisors of 
pairs of Gaussian integers, and other important notions. 
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Definition. Suppose that a and f are Gaussian integers. We say that aw divides 6 if there 
exists a Gaussian integer y such that 8 = ay. If a divides 6, we write a | 6, whereas if 
a does not divide B, we write a / B. 


Example 14.1. We see that 2 — i | 13 + i because 
(2—i)(5+ 3i) =13+i. 
However, 3 + 2i } 6 + Si because 
6+5i (6+5i1)3—2i1) 28+3i 28  3i 


940 Ba0NG=o) i 7 13. 13: 


which is not a Gaussian integer. < 


Example 14.2. We see that —i | (a + bi) for all Gaussian integers a + bi because 


a+ bi = —i(—b + ai), whenever a and b are integers. The only other Gaussian integers 
that divide all other Gaussian integers are 1, —1, andi. We will see why this is true later 
in this section. < 


Example 14.3. The Gaussian integers divisible by the Gaussian integer 3 + 2i are the 
numbers (3 + 2i)(a + ib), where a and b are integers. Note that (3 + 2i)(a+ ib) = 
3a + 2ia + 3ib + 2i7b = (3a — 2b) + i(2a + 3b). We display these Gaussian integers 
in Figure 14.1. < 


Figure 14.1 The Gaussian integers divisible by 3 + 2i. 
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Divisibility in the Gaussian integers satisfies many of the same properties satisfied 
by divisibility of rational integers. For example, if a, 6, and y are Gaussian integers 
and a | 6 and £ | y, then a | y. Furthermore, if w, 8, y, v, and w are Gaussian integers 
and y |q@ and y | B, then y | (ua + vB). We leave it to the reader to verify that these 
properties hold. 


In the integers, there are exactly two integers that are divisors of the integer 1, 
namely, 1 and —1. We now determine which Gaussian integers are divisors of 1. We 
begin with a definition. 


Definition. A Gaussian integer € is called a unit if € divides 1. When € is a unit, €a@ is 
an associate of the Gaussian integer a 


We now characterize which Gaussian integers are units in a way that will make them 
easy to find. 


Theorem 14.3. A Gaussian integer € is a unit if and only if N(e€) = 1. 


Proof. First suppose that € is a unit. Then there a Gaussian integer v such that ev = 1. 
By part (ii) of Theorem 14.1, it follows that N(€v) = N(€)N(v) = 1. Because € and 
v are Gaussian integers, both N(e) and N(v) are positive integers. It follows that 
N(e) = N(v) = 1. 


Conversely, suppose that V(€) = 1. Then €€ = N(e€) = 1. It follows that € | 1 and € 
is a unit. | 


We now determine which Gaussian integers are units. 


Theorem 14.4. The Gaussian integers that are units are 1, —1, i, and —i. 


Proof. By Theorem 14.3, the Gaussian integer € = a+ bi is a unit if and only if 
N(e) = 1. Because N(€) = N(a + bi) =a? + bd’, € is a unit if and only if a*+b?=1. 
Because a and b are rational integers, we can conclude that € = a + bi is a unit if and 
only if (a, b) = (1, 0), (—1, 0), (O, 1), or (O, —1). It follows that € is a unit if and only 
if e = 1, —1, i, or —i. r 


Now that we know which Gaussian integers are units, we see that the associates of 
a Gaussian integer 6 are the four Gaussian integers 8, —8, iB, and —if. 


Example 14.4. The associates of the Gaussian integer —2 + 3i are —2 + 3i, —(—2 + 
3i) = 2 — 3i, i(—2 + 3i) = —2i + 312 = —3 — 27, and —i(—2 + 3i) = 2i — 3i7 =3+ 
2i. < 


Gaussian Primes 


Note that a rational integer is prime if and only if it is not divisible by an integer other than 
1, —1, itself, or its negative. To define Gaussian primes, we want to ignore divisibility by 
units and associates. 
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Definition. A nonzero Gaussian integer z is a Gaussian prime if it is not a unit and is 
divisible only by units and its associates. 


It follows from the definition of a Gaussian prime that a Gaussian integer 7 is prime 
if and only if it has exactly eight divisors, the four units and its four associates, namely, 
1, —1, i, —i, 7, —z, im, and —iz. (Units in the Gaussian integers have exactly four 
divisors, namely, the four units. Gaussian integers that are not prime and are not units 
have more than eight different divisors.) 


An integer that is prime in the set of integers is called a rational prime. Later we will 
see that some rational primes are Gaussian primes, but some are not. Prior to providing 
examples of Gaussian primes, we prove a useful result that we can use to help determine 
whether a Gaussian integer is prime. 


Theorem 14.5. If z is a Gaussian integer and N (7) = p, where p is a rational prime, 
then z and 7 are Gaussian primes, but p is not a Gaussian prime. 


Proof. Suppose that 7 =a, where a and # are Gaussian integers. Then N(z) = 
N(aB) = N(a)N(B), so that p = N(a)N(B). Because N (a) and N (A) are positive in- 
tegers, it follows that N (a) = land N(B) = p or N(a) = p and N(B) = 1. We conclude 
by Theorem 14.3 that either @ is a unit or B is a unit. This means that z cannot be factored 
into two Gaussian integers neither of which is a unit, so it must be a Gaussian prime. 


Note that N (7) = 2 - 7. Because N (zr) = p, it follows that p = 277, which means 
that p is not a Gaussian prime. Note that because N (77) = p, 7 is also a Gaussian prime. 
= 


We now give some examples of Gaussian primes. 


Example 14.5. We can use Theorem 14.5 to show that 2 —i is a Gaussian prime 
because N (2 — i) = 2? + 12 = Sand Sis arational prime. Also, note that 5 = (2 + i)(2 — 
i), so that 5 is not a Gaussian prime. Similarly, 2 + 3i is a Gaussian prime because 
N(2 + 3i) = 2? + 3% = 13 and 13 is a rational prime. Moreover, 13 is not a Gaussian 
prime, because 13 = (2 + 3i)(2 — 3i). < 


The converse of Theorem 14.5 is not true. It is possible for a Gaussian prime to have 
a norm that is not a rational prime, as we will see in Example 14.6. 


Example 14.6. The integer 3 is a Gaussian prime, as we will show, but N(3) = 
N(3+ 0i) = 3* + 0? = 9 is not a rational prime. To see that 3 is a Gaussian prime, 
suppose that 3= (a + bi)(c + di), where a+ bi and c+ di are not units. By taking 
norms of both sides of this equation, we find that 


N(3) = N((a+ bi): (c+ di)). 
It follows that 


9=N(a+ib)N(c+id), 


14.1 Gaussian Integers and Gaussian Primes 583 


using part (ii) of Theorem 14.1. Because neither a + ib nor c + id is a unit, N(a + 
ib) 4 land N(c + id) ¥ 1. Consequently, N(a + ib) = N(c + id) = 3. This means that 
N(a + ib) =a? + b* = 3, which is impossible because 3 is not the sum of two squares. 
It follows that 3 is a Gaussian prime. < 


We now determine whether the rational prime 2 is also a Gaussian prime. 


Example 14.7. To determine whether 2 is a Gaussian prime, we determine whether 
there are Gaussian integers a and f neither a unit such that 2 = a8, where a =a + ib 
and B =c + id. If 2 =a, by taking norms, we see that 


N (2) = N(a@)N(B). 
Because N(2) = N(2 + Oi) = 2? + 0% = 4, this means that 
N(@)N (8) = (a? + b*)(c? + a?) =4. 


Because neither @ nor f is a unit, we know that N(a) 4 1 and N(B) $ 1. It follows that 
a* + b? =2 andc? + d* = 2 so that each of a, b, c, andd equals 1 or —1. Consequently, 
a and # must take on one of the values 1+ i, —1+i, 1 —i, or —1—i. On inspection, 
we find that when a = 1+ i and B = 1 —i, we have af = 2. We conclude that 2 is not 
a Gaussian prime and 2 = (1+ i7)(1 —i). 


However, 1 + i and 1 — i are both Gaussian primes, because N(1+ i) = N(1—i) = 
2 and 2 is prime, so that Theorem 14.5 applies. < 


Looking at Examples 14.5, 14.6, and 14.7, we see that some rational primes are also 
Gaussian primes, such as 3, while other rational primes, such as 2 = (1 — i)(1+ i) and 
5 = (2 +i)(2 —i), are not Gaussian primes. In Section 14.3, we will determine which 
rational primes are also Gaussian primes and which are not. 


The Division Algorithm for Gaussian Integers 


In the first chapter of this book, we introduced the division algorithm for rational integers, 
which shows that when we divide an integer a by a positive integer divisor b, we obtain 
a nonnegative remainder r less than b. Furthermore, the quotient and remainder we 
obtain are unique. We would like an analogous result for the Gaussian integers, but 
in the Gaussian integers it does not make sense to say that a remainder of a division is 
smaller than the divisor. We overcome this difficulty by developing a division algorithm 
where the remainder of a division has norm less than the norm of the divisor. However, 
unlike the situation for rational integers, the quotient and remainder we compute are not 
unique, as we will illustrate with a subsequent example. 


Theorem 14.6. The Division Algorithm for Gaussian Integers. Let a and B be 
Gaussian integers with 6 4 0. Then there exist Gaussian integers y and p such that 


a=By+p 
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and 0 < N(p) < N(B). Here y is called the quotient and p is called the remainder of 
this division. 
Proof. Suppose thata/B =x +iy. Then x + iy is acomplex number that is a Gaussian 
integer if and only if 8 divides a. Let s = [x + x] andt =[y + x] (these are the integers 
closest to x and y, respectively, rounded up if the fractional part of x or y equals 1/2; see 
Figure 14.2). 


Figure 14.2 Determining the quotient y when a is divided by B. 


With these choices for s and t, we find that 
x+iy=(s+f)+i(tt+g), 


where f and g are real numbers with | f| < 1/2 and |g| < 1/2. Now let y = s + ti and 
p =a — By. By Theorem 14.1, we know that N(p) => 0. 


To show that N(o) < N(B), recalling that a/B = x + iy and using Theorem 14.1 
(ii), we see that 


N(p) = N(@ — By) = N(((a@/B) — y)B) = N(x + ty) — y)B) 
= N(@ + ty) — y)N(B). 
Because y =s+ti,x —s = f, and y —t = g, we find that 
N(p) = N(x + iy) — (8 + ti))N(B) = N(f + ig)N(B). 
Finally, because | f| < 1/2 and |g| < 1/2, we conclude that 


N(p) = N(f +ig)N(B) < ((1/2)* + (1/2)7)N(B) < N(B)/2 < N(A). 
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This completes the proof. rT 


Remark. In the proof of Theorem 14.6, when we divide a Gaussian integer a by a 
nonzero Gaussian integer 6, we construct a remainder p such that 0 < N(p) < N(f)/2. 
That is, the norm of the remainder does not exceed 1/2 of the norm of the divisor. This 
will be a useful fact to remember. 


Example 14.8 illustrates how to find the quotient and remainder computed in the 
proof of Theorem 14.6. This example also illustrates that these values are not unique, in 
the sense that there are other possible values that satisfy the conclusions of the theorem. 


Example 14.8. Let a = 13+ 20i and 6 = —3+ Si. We can follow the steps in the 
proof of Theorem 14.6 to find y and p such that a = By + p and N(p) < N(f), that is, 
with 13 + 20i = (—3 + Si)vy + p and 0 < N(p) < N(—3+ Si) = 34. We first divide a 
by £ to obtain 


13+ 201 _ 61 _ 125. 
345i 34 34° 


Next, we find the integers closest to % and ae, namely, 2 and —4, respectively. 
Consequently, we take y = 2 — 4i as the quotient. The corresponding remainder is p = 
a — By = (13 + 201) — (-3 + Si)y = (134+ 201) — (—3 + Si) — 41) = —1— 27. We 
verify that N(p) < N(B)/2 < N(B) by noting that N(—1 — 27) =5 < N(—3 + Si)/2= 
34/2 = 17, as expected (see the previous Remark). 


Other choices for y and p besides those produced by the construction in the proof 
of Theorem 14.6 satisfy the consequences of the division algorithm. For example, we 
can take y = 2 — 3i and p = 4 +7, because 13 + 20i = (—3 + Si)(2 — 31) + (4+ i) and 
N(4 +1) =17< N(-—3 + Si)/2 = 34/2 = 17 < N(—3 + Si). (See Exercise 19.) < 


EXERCISES 


. Simplify each of the following expressions, expressing your answer in the form of a Gaussian 


integer a + bi. 
a) (2+i)*(3 +i) b) (2 — 3i)3 c) —i(—-i + 3)3 


. Simplify each of the following expressions, expressing your answer in the form of a Gaussian 


integer a + bi. 
a) (-1+i)3(1 + i)3 b) 3+ 2i)(3 — i)? c) (2 +i)*(5 — i)? 


. Determine whether the Gaussian integer a divides the Gaussian integer £ if 


aja =2-—i,B =5+Si. c)a=5,B=2+3i. 
b)a=1-i,B=8. d)a=3+ 2i, B = 26. 


. Determine whether the Gaussian integer a divides the Gaussian integer 6, where 


ala =3,B=4+7i. cha =5+3i, B =304 6i. 
b)a=2+i, B=15. d)a = 114 4i, B =274. 
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17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 
25. 
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. Give a formula for all Gaussian integers divisible by 4 + 3i, and display the set of all such 


Gaussian integers in the plane. 


. Give a formula for all Gaussian integers divisible by 4 — i, and display the set of all such 


Gaussian integers in the plane. 


. Show that if a, 6, and y are Gaussian integers and a | 6 and 8 | y, thena | y. 
. Show that ifa, 8, y, ~, and v are Gaussian integers and y | a and y | §, then y | (ua + vB). 
. Show that if € is a unit for the Gaussian integers, then e* = e. 


. Find all Gaussian integers a = a + bi such thata = a — bi, the conjugate of a, is an associate 


of a. 


. Show that the Gaussian integers a and f are associates if a | B and B | a. 
. Show that if a and 6 are Gaussian integers and a | 8, then N(a) | N(B). 


. Suppose that N(a@) | N(8), where a and f are Gaussian integers. Does it necessarily follow 


that a | 8? Supply either a proof or a counterexample. 


. Show that if a divides 8, where w and f are Gaussian integers, then a divides B. 


. Show thatifa@ =a + bi is anonzero Gaussian integer, then a has exactly one associate c + di 


(including a itself), where c > 0 and d > 0. 


. For each pair of values for a and f, find the quotient y and the remainder p when a is 


divided by 6 computed following the construction in the proof of Theorem 14.6, and verify 
that N(p) < N(B). 


aa=14417i,f8=2+3i bba=7-19i,8=3-4i c)a=33,B=S+i 
For each pair of values for a and £, find the quotient y and the remainder p when a is 


divided by 6 computed following the construction in the proof of Theorem 14.6, and verify 
that N(p) < N(B). 


aja=24—-91,8=34+3i b)a=184+15i,8=34+4i cha=87i,B =11-—2i 
For each pair of values fora and f in Exercise 16, find a pair of Gaussian integers y and p such 


thata = By + p and N(p) < N(f£) different from that computed following the construction 
in Theorem 14.6. 


For each pair of values for a and f in Exercise 17, find a pair of Gaussian integers y and p such 
thata = By + p and N(p) < N(f) different from that computed following the construction 
in Theorem 14.6. 


Show that for every pair of Gaussian integers a and 6 with 8 £0 and B J a, there are at least 
two different pairs of Gaussian integers y and p such that a = By + p and N(p) < N(f). 


Determine all possible values for the number of pairs of Gaussian integers y and p such 
that a = By + p and N(p) < N(f) when a and £ are Gaussian integers and 8B # 0. (Hint: 
Analyze this geometrically by looking at the position of w/6 in the square containing it and 
with four lattice points as its corners.) 


Show that if a number of the form r + si, where r and s are rational numbers, is an algebraic 
integer, then r and s are integers. 


Show that 1 + i divides a Gaussian integer a + ib if and only if a and b are both even or both 
odd. 


Show that if 7 is a Gaussian prime, then N (77) = 2 or N(z) = 1 (mod 4). 


Find all Gaussian primes of the form a” + 1, where o is a Gaussian integer. 


26. 
27. 


28. 
29. 


30. 


31. 
32. 
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Show that if a + bi is a Gaussian prime, then b + ai is also a Gaussian prime. 


Show that the rational prime 7 is also a Gaussian prime by adapting the argument given in 
Example 14.6 that shows 3 is a Gaussian prime. 


Show that every rational prime p of the form 4k + 3 is also a Gaussian prime. 


Suppose that a is a nonzero Gaussian integer that is neither a unit nor a prime. Show that a 
Gaussian integer 8 exists such that 6 | a and 1 < N(B) < /N(q@). 


Explain how to adapt the sieve of Eratosthenes to find all the Gaussian primes with norm less 
than a specified limit. 


Find all the Gaussian primes with norm less than 100. 


Display all the Gaussian primes with norm less than 200 as lattice points in the plane. 


We can define the notion of congruence for Gaussian integers. Suppose that a, f, and y are 
Gaussian integers and that y 40. We say that @ is congruent to B modulo y and we write 
a =B8 (mod y) if y | (a — B). 


33. 


34. 


35. 


36. 


Suppose that yz is a nonzero Gaussian integer. Show that each of the following properties 
holds. 

a) If a is a Gaussian integer, then a =a (mod pL). 

b) Ifa = 8 (mod pw), then 8 =a (mod pw). 

c) If~@= 8B (mod w) and B = y (mod yp), then a = y (mod p). 


Suppose that a = B (mod w) and y = 46 (mod w), where a, B, y, 5, and w are Gaussian 
integers and uw # 0. Show that each of these properties holds. 


aaty=8+6(modu) b)a—y=fB-—<d(modu)~ c)ay = £6 (mod p) 


Show that two Gaussian integers a = a, + ib, and B = a, + ib, can multiplied using only 
three multiplications of rational integers, rather than the four in the equation shown in the 
text, together with five additions and subtractions. (Hint: One way to do this uses the product 
(a, + b,)(@2 + bz). A second way uses the product by (a, + b).) 


When a and D are real numbers, let {a + bi} = {a} + {b}i, where {x} is the closest integer to 
the real number x, rounding up in the case of a tie. Show that if z is a complex number, then 
no Gaussian integer is closer to z than {z} and N (z — {z}) < 1/2. 


Let k be a nonnegative integer. The Gaussian Fibonacci number G, is defined in terms of the 
Fibonacci numbers with G; = f, + if,41. Exercises 37-39 involve Gaussian Fibonacci numbers. 


37. 


38. 
39. 
40. 


41. 


a) List the terms of the Gaussian Fibonacci sequence for k = 0, 1, 2, 3, 4, 5. (Recall that 
fo = 0.) 
b) Show that G; = Gy_; + Gy_2 fork = 2, 3,.... 


Show that N(G;,) = f+, for all nonnegative integers k. 
Show that G,,49Gy41 — Gui3G, = (—1)”(2 + i), whenever n is a positive integer. 


Show that every Gaussian integer can be written in the form a,(—1+ i)” +a,_;(—1+ 
iy"! + +--+ a,(—1+ i) + a, where a; = 0 or 1 for j =0, 1,...,—1,n. 


Show that if a is a number of the form r + si, where r and s are rational numbers and @ is a 
root of a monic quadratic polynomial with integer coefficients, then a is a Gaussian integer. 


42. 


43. 


44. 


45. 
46. 
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What can you conclude if 7 =a + bi is a Gaussian prime and one of the Gaussian integers 
(a+1)+ bi, a —1)+ bi,a + (6+ 1)i, anda + (6 — 1)i is also a Gaussian prime? 


Show that if7, =a —1+ bi,m2=a+1+ bi,73=a+ (b-— 1)i, andz,=a+ (b+ 1)i are 
all Gaussian primes and |a| + |b| > 5, then 5 divides both a and b and neither a nor b is zero. 


Describe the block of Gaussian integers containing no Gaussian primes that can be con- 
structed by first forming the product of all Gaussian integers a + bi with a and b rational 
integers, O <a <m,and0 <b<n. 


Find all Gaussian integers a, 8, and y such thataBy =a+fBt+y=1. 


Show that if 7 is a Gaussian prime with N(z) #2, then exactly one of the associates of 7 is 
congruent to either 1 or 3 + 2i modulo 4. 


Computations and Explorations 


1. 


Find all pairs of Gaussian integers y and p such that 180 — 181i = (12 + 137)y + 9 and 
N(p) < N(12 + 13%). 


. Use a version of the sieve of Eratosthenes to find all Gaussian primes with norm less than 


1000. 


3. Find as many different pairs of Gaussian primes that differ by 2 as you can. 


4. Find as many triples of Gaussian primes that form an arithmetic progression with a common 


difference of 2 as you can. 


. Find as many Gaussian primes as you can of the form 1 + bi where b is an integer. (It is 


unknown whether there are infinitely many such primes.) 


6. Find as many Gaussian primes of the form a” + a + (9 + 4i) as you can. 


7. Estimate the probability that two randomly chosen Gaussian integers are relatively prime by 


*x* § 


© 


testing whether a large number of randomly chosen pairs of Gaussian integers are relatively 
prime. 


. Search for Gaussian moats, which are regions of width k, where k is a positive real number, in 


the complex plane surrounding the origin thatcontain no Gaussian primes. (See [GeWaWi98] 
for more information about Gaussian moats.) 


Programming Projects 


Is 


2. 


Given two Gaussian integers @ and 8, find all pairs of Gaussian integers y and p such that 
a=yB+ op. 


Implement a version of the sieve of Eratosthenes to find all Gaussian primes with norm less 
than a specified integer. 


. Given a positive real number & and a positive integer 7, find all Gaussian primes with norm 


less than n that can be reached, starting with a Gaussian prime with norm not exceeding 5 
moving from one Gaussian prime to the next in steps not exceeding k. 


. Display a graph of the Gaussian primes that can be reached as described in the preceding 


programming project. 
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Greatest Common Divisors and Unique Factorization 


In Chapter 3, we showed that every pair of rational integers not both zero has a greatest 
common divisor. Using properties of the greatest common divisor, we showed that if 
a prime divides the product of two integers, it must divide one of these integers. We 
used this fact to show that every integer can be uniquely written as the product of the 
powers of primes when these primes are written in increasing order. In this section, we 
will establish analogous results for the Gaussian integers. We first develop the concept 
of greatest common divisors for Gaussian integers. We will show that every pair of 
Gaussian integers, not both zero, has a greatest common divisor. Then we will show 
that if a Gaussian prime divides the product of two Gaussian integers, it must divide one 
of these integers. We will use this result to develop a unique factorization theorem for 
the Gaussian integers. 


Greatest Common Divisors 


We cannot adapt the original definition we gave for greatest common divisors of integers, 
because it does not make sense to say that one Gaussian integer is larger than another 
one. However, we will be able to define the notion of a greatest common divisor for a pair 
of Gaussian integers by adapting the characterization of the greatest common divisor of 
two rational integers that does not use the ordering of the integers given in Theorem 3.10. 


Definition. Let a and f be Gaussian integers. A greatest common divisor of a and B 
is a Gaussian integer y with these two properties: 


G@) ylaand y | 8B; 
and 

(ii) if 6|a@ and6|,thend|y. 

If y is a greatest common divisor of the Gaussian integers a and #, then it is 
straightforward to show that all associates of y are also greatest common divisors of 
a and f (see Exercise 5). Consequently, if y is a greatest common divisor of @ and f, 
then —y,iy, and —iy are also greatest common divisors of a and 6. The converse is also 
true, that is, any two greatest common divisors of two Gaussian integers are associates, 
as we will prove later in this section. First, we will show that a greatest common divisor 
exists for every two Gaussian integers. 

Theorem 14.7. Ifa and f are Gaussian integers, not both zero, then 

(i) there exists a greatest common divisor y of a and 6; 


and 


(ii) if y is a greatest common divisor of a and #, then there exist Gaussian integers 
yz and v (called Bezout coefficients of a and 8) such that y = ua + vB. 


Proof. Let S be the set of norms of nonzero Gaussian integers of the form 


pa + vB, 
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where jz and v are Gaussian integers. Because wa + vf is a Gaussian integer when 
and v are Gaussian integers and the norm of a nonzero Gaussian integer is a positive 
integer, every element of S is a positive integer. S is nonempty, which can be seen because 
N(1-a+0- B)=N(@) and N(O-a+1- £) = N(B) both belong to S and cannot be 
both 0. 


Because S is a nonempty set of positive integers, by the well-ordering property, it 
contains a least element. Consequently, a Gaussian integer y exists with 


Y = Uoad + vo, 


where {4p and vp are Gaussian integers and N(y) < N(wa + v) for all Gaussian integers 
p and v. 


We will show that y is a greatest common divisor of a and f. First, suppose that 
5 |q@ and 6 | B. Then there exist Gaussian integers p ando such that a = dp and 8 = do. 
It follows that 


Y = Mod + VoB = Uodp + Voda = d(Uop + Ve). 
We see that 5 | y. 


To show that y|a and y|8, we will show that y divides every Gaussian integer of 
the form a + vf. So, suppose that t = ,;a + v,B for Gaussian integers wz, and v1. By 
Theorem 14.6, the division algorithm for Gaussian integers, we see that 


tT=ynt+s, 


where n and ¢ are Gaussian integers with 0 < N(¢) < N(y). Furthermore, ¢ is a 
Gaussian integer of the form ua + vf. To see this, note that 


$= t— yn = (ua + 1B) — (Uoa + voB)n = (uy — Mona + (v1 — von) B. 


Recall that y was chosen as an element with smallest possible norm among the nonzero 
Gaussian integers of the form za + vf. Consequently, because ¢ has this form and 
0 < N(¢) < N(y), we know that N(¢) = 0. By Theorem 14.1, we see that ¢ = 0. 
Consequently, tT = yn. We conclude that every Gaussian integer of the form a + vf is 
divisible by y. 7 


We now show that any two greatest common divisors of two Gaussian integers must 
be associates. 


Theorem 14.8. If both y, and y> are greatest common divisors of the Gaussian integers 
a and £, not both zero, then y, and y> are associates of each other. 


Proof. Suppose that y, and yy are both greatest common divisors of a and 8. By part 
(ii) of the definition of greatest common divisor, it follows that y, | Y2 and yz | y,. This 
means there are Gaussian integers € and 0 such that yp = ey, and y; = 0y>. Combining 
these two equations, we see that 


V1 = ey. 
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Divide both sides by y, (which does not equal 0 because 0 is not a common divisor of 
two Gaussian integers if they are not both zero) to see that 


Oe = 1. 


We conclude that 6 and € are both units. Because y, = Oy, we see that y, and y, are 
associates. a 


The demonstration that the converse of Theorem 14.8 is also true is left as Exercise 5 
at the end of this section. 


Definition. The Gaussian integers a and £ are relatively prime if 1is a greatest common 
divisor of a and f. 


Note that 1 is a greatest common divisor of a and £ if and only if the associates of 1, 
namely, —1, i, and —i, are also greatest common divisors of a and f. For example, if we 
know that i is a greatest common divisor of a and f, then these two Gaussian integers 
are relatively prime. 


We can adapt the Euclidean algorithm (Theorem 3.11) to find a greatest common 
divisor of two Gaussian integers. 


Theorem 14.9. A Euclidean Algorithm for Gaussian Integers. Let pp =a and 
f; = B be nonzero Gaussian integers. If the division algorithm for Gaussian integers 
is successively applied to obtain pj = 0j417j41 +7 j42, with N(0j42) < N(oj+1) for 
j =0,1,2,...,n—2 and p,,; = 0, then p,, the last nonzero remainder, is a greatest 
common divisor of a and f. 


We leave the proof of Theorem 14.9 to the reader; it is a swaightforward adaption 
of the proof of Theorem 3.11. Note that we can also work backward through the steps 
of the Euclidean algorithm for Gaussian integers to express the greatest common divisor 
found by the algorithm as a linear combination of the two Gaussian integers provided as 
input to the algorithm. We illustrate this in the following example. 


Example 14.9. Suppose that w = 97 + 210i and 6 = 123 + 16i. The version of the 
Euclidean algorithm based on the version of the division algorithm in the proof of 
Theorem 4.6 can be used to find the greatest common divisors of a and f with the 
following steps: 
97 + 210i = (123 + 16i)(1 + 2i) + (6 — 52i) 
123 + 16i = (6 — 52i)(2i) + (19 + 4i) 
6 — 52i = (19 + 4i)(—3i) + (—6 + Si) 
19+ 4i = (—6 + Si)(—2 — 21) + (—3 + 2i) 
—64+5i =(-—34+ 21)2+i 
—3+2i =i(2+3i) +0. 


We conclude that i is a greatest common divisor of 97 + 210i and 123+ 16. 
Consequently, all greatest common divisors of these two Gaussian integers are the 
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associates of i, namely, 1, —1, i, and —i. It follows that 97 + 210i and 123+ 6i are 
relatively prime. 


Because 97 + 210i and 123 + 16i are relatively prime, we can express 1 as a linear 
combination of these Gaussian integers. We can find Gaussian integers and v such that 
1 = ua + vf by working backward through these steps and then multiplying both sides 
by —i to obtain 1. These computations, which we leave to the reader, show that 


(97 + 210i) (—24 + 211) + (123 + 167)(57 + 171) = 1. < 


Unique Factorization for Gaussian Integers 


The fundamental theorem of arithmetic states that every rational integer has a unique 
factorization into primes. Its proof depends on the fact that if the rational prime p divides 
the product of two rational integers ab, then p divides either a or b. We now prove an 
analogous fact about the Gaussian integers that will play the crucial role in proving 
unique factorization for the Gaussian integers. 


Lemma 14.1. If z is a Gaussian prime and a and # are Gaussian integers such that 
x |af,thenz|aorz |p. 


Proof. Suppose that 2 does not divide a. We will show that x must then divide B. 
Because 2 J a, we also know that ex J} @ when € is a unit. Because the only divisors 
of z are 1, —1, i, —i, 7, —2, im, and —i7, it follows that a greatest common divisor of 
z and a must be a unit. This means that 1 is a greatest common divisor of 7 and a. By 
Theorem 14.7, we know that there exist Gaussian integers and v such that 


1=pnr+ va. 


Multiplying both sides of this equation by 8, we see that 
B=x(uB) + v(aB). 
By the hypotheses of the theorem, we know that z | wf so that z | v(@B). Because 
B =x(uB) + v(@B), it follows (using Exercise 8 of Section 14.1) that z | B. = 


Lemma 14.1 is a key ingredient in proving that the Gaussian integers enjoy the 
unique factorization property. Other sets of algebraic integers, such as Z[./—5], the 
set of quadratic integers of the form a + b./—5, do not enjoy a property analogous to 
Lemma 14.1 and do not enjoy unique factorization. 


We can extend Lemma 14.1 to products with more than two terms. 
Lemma 14.2. If z is a Gaussian prime and a, a>, - -- , a, are Gaussian integers such 
that 7 | @ a ---a,,, then there is an integer j such that 2 | a;, where 1 < j <m. 


Proof. We can prove this result using mathematical induction. When m = 1, the result 
is trivial. Now suppose that the result is tue form = k, where k is a positive integer. That 
is, suppose that if 


T | O10ly ++ + Oy, 
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where a@; is a Gaussian integer fori = 1, 2,...,k, then m | a; for some integer i with 
1 <i <k. Now suppose that 


TE | Oly ++ + Ap Olp 41, 


where a;, i= 1, 2,...,k +1 are Gaussian integers. Then 7 | a;(a@2 -- - a0, 41), SO 
that by Lemma 14.1, we know that m | a; or 7 | @q--- Opoy44. If © | 2 - + > aporgyy, 
we can use the induction hypothesis to conclude that 7 | a; for some integer j with 
2< j <k +1. It follows that z | a; for some integer j with 1 < j <k + 1, completing 


the proof. rT] 
We can now state and prove the unique factorization theorem for Gaussian integers. 
Not surprising, Carl Friedrich Gauss was the first to prove this theorem. 
Theorem 14.10. The Unique Factorization Theorem for Gaussian Integers. Sup- 
pose that y is a nonzero Gaussian integer that is not a unit. Then 
(i) y can be written as the product of Gaussian primes; and 


(ii) this factorization is unique in the sense that if 


Y = 11. -++ Hs = Pjpr--: Py, 


where 7), %,..., Us, Pj, P2,---> Oy are all Gaussian primes, then s =¢, 
and after renumbering the terms, if necessary, 7; and p; are associates for 
2 ia Perea 


Proof. We will prove part (i) using the second principle of mathematical induction 
where the variable is N (vy), the norm of y. First note that because y # 0 and y is nota 
unit, by Theorem 14.3, we know that N(y) # 1. It follows that N(y) > 2. 


When N(y) = 2, by Theorem 14.5, we know that y is a Gaussian prime. Conse- 
quently, in this case, y is the product of exactly one Gaussian prime, itself. 


Now assume that N(y) > 2. We assume that every Gaussian integer 5 with N(6) < 
N(y) can be written as the product of Gaussian primes; this is the induction hypothesis. 
If y is a Gaussian prime, it can be written as the product of exactly one Gaussian prime, 
itself. Otherwise, y = nO, where n and 9 are Gaussian integers that are not units. Because 
n and 6 are not units, by Theorems 14.1 and 14.3, we know that N(n) > land N() > 1. 
Furthermore, because N(y) = N(n)N(O0), we know that 2 < N(n) < N(y) and 2 < 
N(0) < N(y). Using the induction hypothesis, we know that both n and @ are products 
of Gaussian primes. That is, 7 = 717 --+2,, where 7, 12, ..., 1, are Gaussian primes 
and 6 = (1/2 --- 0;, Where 1, 02, ..-, ; are Gaussian primes. Consequently, 


Y =On = MN +++ Hs P\P2°- + Py 
is the product of Gaussian primes. This finishes the proof that every Gaussian integer 


can be written as the product of Gaussian primes. 


We will also use the second principle of mathematical induction to prove part (ii) of 
the theorem, the uniqueness of the factorization in the sense described in the statement of 
the theorem. Suppose that y is a nonzero Gaussian integer that is not a unit. By Theorem 
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14.3, we know that N(y) > 2. To begin the proof by mathematical induction, note that 
when N(y) = 2, y is a Gaussian prime, so y can only be written in one way as the 
product of Gaussian primes, namely, the product with one term, y. 


Now assume that part (ii) of the statement of the theorem is true when 6 is a Gaussian 
integer with N(6) < N(y). Assume that y can be written as the product of Gaussian 
primes in two ways, that is, 


Y = 1M. +++ Ws = Pjpr°** Py, 


where 7), 1, .--3 Hs, Pj; P2,---, P; are all Gaussian primes. Note that s > 1; otherwise, 
y is a Gaussian prime that already can be written uniquely as the product of Gaussian 
primes. 


Because 77 | 1172 °-+- 1, and 177 --- 1, = P1P2-*+ Py, we see that 7, | P1P2° ++ py. 
By Lemma 14.2, we know that z, | 0; for some integer k with 1 < k < t. We can reorder 
the primes (0, (7, ..., Px, if necessary, so that 7, | e,. Because p, is a Gaussian prime, 
itis only divisible by units and associates, so that 27, and e, must be associates. It follows 
that p, = €7, where € is a unit. This implies that 


MI ++ Ts = PyPy*** Pp = €MP2*** Py 


We now divide both sides of this last equation by 7, to obtain 
7QI03 ++ + Ws = (€P2)P3- ++ Pr. 


Because 77, is a Gaussian prime, we know that N (2) > 2. Consequently, 
1< N(mp73--- 5) < N(am2---1,) = N(y). 


By the induction hypothesis and the fact that 22773 --- 7, = (€(2)03--- P;, We can 
conclude that s — 1=t — 1, and that after reordering of terms, if necessary, p; is an 
associate of 2; fori = 1, 2, ..., s — 1. This completes the proof of part (ii). 2 


Factoring a Gaussian integer into a product of Gaussian primes can be done by 
computing its norm. For each prime in the factorization of this norm as a rational integer, 
we look for possible Gaussian prime divisors of the Gaussian integer with this norm. We 
can perform trial division by each possible Gaussian prime divisor to see whether it 
divides the Gaussian integer. 


Example 14.10. To find the factorization of 20 into Gaussian integers, we note that 
N(20) = 207 = 400. It follows that the possible Gaussian prime divisors of 20 have 
norm 2 or 5. We find that we can divide 20 by 1+ i four times, leaving a quotient of —5. 
Because 5 = (1 + 2i)(1 — 27), we see that 


20 = —(1+ i)4(1 + 21)(1 — 23). 
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EXERCISES 


. Use the definition of the greatest common divisor of two Gaussian integers to show that if 2, 


and zy are Gaussian primes that are not associates, then 1 is a greatest common divisor of 7, 
and 7p. 


. Use the definition of the greatest common divisor of two Gaussian integers to show that if € 


is a unit and @ is a Gaussian integer, then 1 is a greatest common divisor of a and €. 


. Show that if y is a greatest common divisor of the Gaussian integers a and £8, then y is a 


greatest common divisor of @ and B. 


. a) By extending the definition of a greatest common divisor of two Gaussian integers, define 


the greatest common divisor of a set of more than two Gaussian integers. 


b) Show from your definition that a greatest common divisor of three Gaussian integers a, B, 
and y is a greatest common divisor of y and a greatest common divisor of a and £. 


. Show that if a and 6 are Gaussian integers and y is a greatest common divisor of a and B, 


then all associates of y are also greatest common divisors of @ and B. 


. Show that if a and 8 are Gaussian integers and N(@) and N (8) are relatively prime rational 


integers, then aw and £ are relatively prime Gaussian integers. 


. Show that the converse of the statement in Exercise 6 is not necessarily true, that is, find 


Gaussian integers w and £ such that a and £ are relatively prime Gaussian integers, but N (a) 
and N() are not relatively prime positive integers. 


. Show that if a and f are Gaussian integers and y is a greatest common divisor of a and 6, 


then N(y) divides (N(a), N(B)). 


. Show if a and b are relatively prime rational integers, then they are also relatively prime 


Gaussian integers. 


. Show that if a, 8, and y are Gaussian integers and n is a positive integer such that a6 = y” 


and @ and £ are relatively prime, then a = €6”, where € is a unit and 6 is a Gaussian integer. 


. a) Show all steps of the version of the Euclidean algorithm for the Gaussian integers de- 


scribed in the text to find a greatest common divisor of a = 44 + 18i and B = 12 — 16i. 


b) Use the steps in part (a) to find Gaussian integers jz and v such that 4(44 + 187) + v(12 — 
16i) equals the greatest common divisor found in part (a). 


a) Show all steps of the version of the Euclidean algorithm for the Gaussian integers de- 
scribed in the text to show that 2 — 1]i and 7 + 8i are relatively prime. 

b) Use the steps in part (a) to find Gaussian integers 4 and v such that w(2 — 11i) + v(7 + 
8i) = 1. 


Show that two consecutive Gaussian Fibonacci numbers G, and G;,4, (defined in the pream- 
ble to Exercise 37 of Section 14.1), where k is a positive integer, are relatively prime Gaussian 
integers. 


How many divisions are used to find a greatest common divisor of two consecutive Gaussian 
Fibonacci numbers G, and G;4, (defined in Exercise 37 of Section 14.1), where k is a positive 
integer? Justify your answer. 


Derive a big-O estimate for the number of bit operations required to find a greatest common 
divisor of two nonzero Gaussian integers a and B, where N (a) < N (A). (Hint: Use the remark 
following the proof of Theorem 14.6.) 
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21. 
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For each of these Gaussian integers, find its factorization into Gaussian primes and a unit 
where each Gaussian prime has a positive real part and a nonnegative imaginary part. 


a)9+i b) 4 c) 22 + 7i d) 210 + 2100: 


For each of these Gaussian integers, find its factorization into Gaussian primes and a unit 
where each Gaussian prime has a positive real part and a nonnegative imaginary part. 


a) 7 + 63 b) 3 — 13i c) 28 d) 400i 


Find the factorization into Gaussian primes of each of the Gaussian integers k + (7 — k)i for 
k =1, 2, 3, 4, 5, 6, 7, where each Gaussian prime has a positive real part and a nonnegative 
imaginary part. 

Determine the number of different Gaussian integers, counting associates separately, that 
divide 

a) 10 b) 256 + 128i c) 27,000 d) 5040 + 40,320i 


Determine the number of different Gaussian integers, counting associates separately, that 
divide 
a) 198. b) 128 + 256i. c) 169,000. d) 4004 + 8008i. 


Suppose that a + ib is a Gaussian integer and n is a rational integer. Show that n anda + ib 
are relatively prime if and only if n and b + ai are relatively prime. 


Use the unique factorization theorem for Gaussian integers (Theorem 14.10) and Exercise 
13 of Section 14.1 to show that every nonzero Gaussian integer can be written uniquely, 
except for the order of terms, as e{175?--- 2,*, where € is a unit and for j = 1, 2,..., k, 
1; =a; + ib; is a Gaussian prime with a; > 0 and b; > 0, and e; is a positive integer. 
Adapt Euclid’s proof that there are infinitely many primes (Theorem 3.1) to show that there 
are infinitely many Gaussian primes. 


Exercises 2441 rely on the notion of a congruence for Gaussian integers defined in the preamble 
to Exercise 33 in Section 14.1. 


24. 


25. 
26. 
27. 


28. 


29. 


30. 


31. 


a) Define what it means for B to be an inverse of the @ modulo pw, where a, 8, and pw are 
Gaussian integers. 


b) Show that if @ and wy are relatively prime Gaussian integers, then there exists a Gaussian 
integer f that is an inverse of a modulo pw. 


Find an inverse of 1+ 2i modulo 2 + 3i. 
Find an inverse of 4 modulo 5 + 2i. 


Explain how a linear congruence of the form a x = B(mod jz) can be solved, where a, 8, and 
are Gaussian integers and @ and w are relatively prime. 


Solve each of these linear congruences in Gaussian integers. 

a) (2+ i)x =3 (mod 4 — i) b) 4x = —3+4i (mod5+2i) c) 2x =5 (mod 3 — 2i) 
Solve each of these linear congruences in Gaussian integers. 

a) 3x =2+i (mod 13) b) 5x =3 — 2i (mod 4 + i) c) (3+ i)x = 4 (mod 2 + 3i) 
Solve each of these linear congruences in Gaussian integers. 

a) 5x = 2 — 3i (mod 11) b) 4x =7+ i (mod 3 + 2i) c) (2+ Si)x =3 (mod 4 — 7i) 


Develop and prove a version of the Chinese remainder theorem for systems of congruences 
for Gaussian integers. 


32. 


33. 


34. 
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Find the simultaneous solutions in Gaussian integers of the system of congruences 


x =2 (mod 2 + 3i) 
x =3(mod1+ 4i). 


Find the simultaneous solutions in Gaussian integers of the system of congruences 
x =1+ 3i (mod 2 + Si) 
x =2—-i(mod3-— 4i). 


Find a Gaussian integer congruent to 1 modulo 11, to 2 modulo 4 + 3i, and to 3 modulo 
1+ 7i. 


A complete residue system modulo y, where y is a Gaussian integer, is a set of Gaussian integers 
such that every Gaussian integer is congruent modulo y to exactly one element of this set. 


35. 


36. 


37. 


Find a complete residue system modulo 

a) 1—i. b) 2. c) 2+ 3i. 
Find a complete residue system modulo 

a) 1+ 2i. b) 3. c)4—-i. 


Prove that a complete residue system of a, where @ is a Gaussian integer, has N (a) elements. 


A reduced residue system modulo y, where y is a Gaussian integer, is a set of Gaussian integers 
such that every Gaussian integer that is relatively prime to y is congruent to exactly one element 
of this set. 


38. 


39. 


40. 


41. 


42. 


Find a reduced residue system modulo 

a) -1+ 3i. b) 2. c)5—i. 
Find a reduced residue system modulo 

a) 2+ 2i. b) 4. c)4+ 2i. 


Suppose that 2 is a Gaussian prime. Determine the number of elements in a reduced residue 
system modulo z. 


Suppose that z is a Gaussian prime. Determine the number of elements in a reduced residue 
system modulo 7°, where e is a positive integer. 


a) Show that the algebraic integers of the form r + s./—3, where r and s are rational 
numbers, are the numbers of the form a + bw, where a and b are integers and where 
w@ = (—1+ /—3)/2. Numbers of this form are called Eisenstein integers after Max 
Eisenstein, who studied them in the mid-nineteenth century. (They are also sometimes 
called Eisenstein-Jacobi integers because they were also studied by Carl Jacobi.) The set 
of Eisenstein integers is denoted by Z[a]. 

b) Show that the sum, difference, and product of two Eisenstein integers is also an Eisenstein 
integer. 

c) Show that if a is an Eisenstein integer, then a, the complex conjugate of a, is also an 
Eisenstein integer. (Hint: First show that @ = w”.) 

d) Ifa is an Eisenstein integer, we define the norm of this integer by N(a) = a” — ab + b? if 
a =a-+ bo, where a and b are integers. Show that N (a) = a@ whenever a@ is an Eisenstein 
integer. 
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e) If a and £ are Eisenstein integers, we say that a divides 6 if there exists an element y 
in Z[w] such that 8 = ay. Determine whether 1+ 2m divides 1 + 5w and whether 3 + w 
divides 9 + 8w. 

f) An Eisenstein integer € is a unit if € divides 1. Find all the Eisenstein integers that are 
units. 

g) An Eisenstein prime x in Z[w] is an element divisible only by a unit or an associate of 7. 
(An associate of an Eisenstein integer is the product of that integer and a unit.) Determine 
whether each of the following elements are Eisenstein primes: 1 + 2m, 3 — 2m, 5+ 4a, 
and —7 — 2w. 

h) Show that ifa and B 4 0 belong to Z[o], there are numbers y and p such thata = By + p 
and N(p) < N(f). That is, establish a version of the division algorithm for the Eisenstein 
integers. 

i) Using part (h), show that Eisenstein integers can be uniquely written as the product of 
Eisenstein primes, with the appropriate considerations about associated primes taken into 
account. 

j) Find the factorization into Eisenstein primes of each of the following Eisenstein integers: 
6,5+ 9o, 114, 37+ 740. 


a) Show that the algebraic integers of the form r + s./—5, wherer ands are rational numbers, 
are the numbers of the form a + b./—S, where a and b are rational integers. (Recall that 
we briefly studied such numbers in Chapter 3. In this exercise, we look at these numbers 
in more detail.) 

b) Show that the sum, difference, and product of numbers of the form a + b./—5, where a 
and b are rational integers, is again of this form. 

c) We denote the set of numbers a + b./—5 by Z[/—5]. Suppose that a and 6 belong to 
Z[V —S]. We say that a divides B if there exists a number y in Z[./ —5] such that B = ay. 
Determine whether —9 + 11./—S is divisible by 2 + 3./—5 and whether 8 + 13./—S is 
divisible by 1+ 4/—S. 

d) We define the norm of a number a = a + b./—5 to be N(a) = a? + 5b2. Show that 
N(aB) = N(a)N(B) whenever @ and B belong to Z[V—S]. 

e) We say € isa unit of Z[./ —5] if € divides 1. Show that the units in Z[./ —5] are 1 and —1. 

f) We say that an element a in Z[./—S] is prime if its only divisors in Z[./—S] are 1, —1, 
a, and —a@. Show that 2, 3, 1+ /—5, and 1 — /—S are all primes, and that 2 does not 
divide either 1 + ./—5 or 1 — /—5. Conclude that 6 = 2 -3 = (1+ /—5)(1— /—5) can 
be written as the product of primes in two different ways. This means that Z[./—5] does 
not have unique factorization into primes. 

g) Show that there do not exist elements y and p in Z[./—5] such that 7— 2,/—5 = 
(1+ /—5)y + e, where N(p) < N(1+ /—S5) = 6. Conclude that there is no analog for 
the division algorithm in Z[./—S]. 

h) Show that if a = 3 and B = 1+ ~/—S, there do not exist numbers yp and v in Z[./—S] 
such that ay + Bv = 1, even though a and £ are both primes, neither of which divides 
the other. 


Computations and Explorations 


1. 


Find the unique factorization into a unit and a product of Gaussian primes, where each 
Gaussian prime has a positive real part and a nonnegative imaginary part, of (2007 — k) + 
(2008 — k)i for all positive integers k with k < 8. 
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2. Find a prime factor of smallest norm of each of the Gaussian integers formed by adding 1 to 
the product of all Gaussian primes with norm less than n for as many n as possible. Do you 
think that infinitely many of these numbers are Gaussian primes? 


3. Determine whether two randomly selected Gaussian integers are relatively prime, and by 
doing this repeatedly, estimate the probability that two randomly selected Gaussian integers 
are relatively prime. 


Programming Projects 


1. Find a greatest common divisor of two Gaussian integers using a version of the Euclidean 
algorithm for Gaussian integers. 


2. Express a greatest common divisor of two Gaussian integers as a linear combination of these 
Gaussian integers. 


3. Keep track of the number of steps used by the version of the Euclidean algorithm for Gaussian 
integers that uses the construction in the proof of the division algorithm for Gaussian integers 
to find quotients and remainders. 


4. Find the unique factorization of a Gaussian integer into a unit times Gaussian primes, where 
each Gaussian prime in the factorization is in the first quadrant. 


14.3 Gaussian Integers and Sums of Squares 


In Section 13.3, we determined which positive integers are the sum of two squares. In 
this section, we will show that we can prove this result using what we have learned about 
Gaussian primes. We will also be able to determine the number of different ways that a 
positive integer can be written as the sum of two squares using Gaussian primes. 


In Section 13.3, we proved that every prime of the form 4k + 1 is the sum of two 
squares. We can prove this fact in a different way using Gaussian primes. 


Theorem 14.11. If pis arational prime of the form 4k + 1, where k is a positive integer, 
then p is the sum of two squares, which these squares are unique up to their order. 


Proof. Suppose that p is of the form 4k + 1, where k is a positive integer. To prove that 
p can be written as the sum of two squares, we show that p is not a Gaussian prime. By 
Theorem 11.5, we know that —1 is a quadratic residue of p. Consequently, we know that 
there is a rational integer t such that t? = —1 (mod p). It follows that p | (t? + 1). We 
can use this divisibility relation for rational integers to conclude that p | (t + i)(t —i). 
If p is a Gaussian prime, then by Lemma 14.1, it follows that p | t +i or p|t —i. Both 
of these cases are impossible because the Gaussian integers divisible by p have the form 
p(a+ bi) = pa + pbi, where a and b are rational integers. Neither t + i nor t — i has 
this form. We can conclude that p is not a Gaussian prime. 


Because p is not a Gaussian prime, there are Gaussian integers a and £, neither a 
unit, such that p = wf. Taking norms of both sides of this equation, we find that 


N(p) = p? = N(@B) = N(a) N (8). 
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Because neither a nor f is a unit, N(a) # 1 and N(B) # 1. This implies that N(@) = 
N(B) = p. Consequently, if a = a + bi and B = c + di, we know that 


p=N(a)=a*+b? and p=N(f)=c* +d’. 
It follows that p is the sum of two squares. 


We leave the proof that p can be written uniquely as the sum of two squares to the 
reader. a 


To find which rational integers are the sum of two squares, we will need to determine 
which rational integers are Gaussian primes and which factor into Gaussian primes. To 
accomplish that task, we will need the following lemma. 


Lemma 14.3. If 2 is a Gaussian prime, then there is exactly one rational prime p such 
that a divides p. 


Proof. We first factor the rational integer N(z) into prime factors, say, N(7) = 
PiP2--+ P:, Where p; is prime for j = 1, 2,...,¢. Because N(z) = 27, it follows 
that 7 | N(z), so that x | pjp2--- p;. By Lemma 14.2, it follows that x | p; for some 
integer j with 1 < j <t. We have shown that m divides a rational prime. 


To complete the proof, we must show that a cannot divide two different rational 
primes. So suppose that z | p; and z | p2, where p, and pz are different rational primes. 
Because p, and p> are relatively prime, by Corollary 3.8.1, there are rational integers m 
and n such that mp, + np» = 1. Moreover, because 7 | p, and 7 | po, we see that z | 1 
(using the divisibility property in Exercise 8 of Section 14.1). But this implies that 7 is 
a unit, which is impossible, so 2 does not divide two different rational primes. 7 


We can now determine which rational primes are also Gaussian primes and the 
factorization into Gaussian primes of those that are not. 


Theorem 14.12. If p is a rational prime, then p factors as a Gaussian integer according 
to these rules: 


(i) If p=2, then p= —i(1+i)* =i(1— i)”, where 1+ i and 1—i are both 
Gaussian primes with norm 2. 
(ii) If p=3 (mod 4), then p = 7 is a Gaussian prime with N(z) = p’. 


(iii) If p =1 (mod 4), then p = 27’, where x and z’ are Gaussian primes that are 
not associates with N(z) = N(x’) = p. 


Proof. Toprove(i), we note that 2 = —i(1+ i)” =i(1— i), wherethe factors —i andi 
are units. Furthermore, N(1+i) = N(1—i) = 12+ 2? =2. Since N(1+ i) = N(1— i) 
is a rational prime by Theorem 14.5, it follows that 1+ i and 1 — i are Gaussian primes. 


To prove (ii), let p be a rational prime with p =3 (mod 4). Suppose that p = a, 
where a and # are Gaussian integers with a =a + bi and B =c+di and neither 
a nor B is a unit. By part (ii) of Theorem 14.1, it follows that N(p) = N(@B) = 
N(a)N(B). Because N(p) = p”, N(a) =a? + b’, and N(B) =c? +d”, we see that 
p* = (a* + b”)(c” + d”). Neither @ nor f is a unit, so neither has norm 1. It follows 
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that N(a) = a” + b* = pand N(f) = c? + d* = p. However, this is impossible because 
p =3 (mod 4), so that p is not the sum of two squares. 


To prove (iii), let p be a rational prime with p = 1 (mod 4). By Theorem 14.11, 
there are integers a and b such that p = a” + b*. If x; =a — bi and x, =a + bi, then 
p*=N(p)=N (711) N (2), so that N(711) = N(x) = p. It follows by Theorem 14.5 
that 7, and 7, are Gaussian primes. 


Next, we show that 7, and z are not associates. Suppose that 7, = ez, where € is 
a unit. Because € is aunit,« = 1, —1, i, or —i. 


If € = 1, then 2; = 7. This means that a + bi = a — bi, so that b = 0. This implies 
that p = a2 + b* = a”, which is impossible because p is prime. Similarly, when € = —1, 
then 7, = —7. This implies that a + bi = —a + bi, which makes a = 0. This implies 
that b? = P, which is also impossible. If € =i, thena + ib=i(a —ib) =b+ ia, so 
that a = b. Similarly, if € = —i, then a + ib = —i(a — ib), so that a = —b. In both of 
these cases, p = a” + b? = 2a, which is impossible because p is an odd prime. We have 
shown that all four possible values of € are impossible. It follows that 2, and z are not 
associates, completing the proof of (iii). 2 


We have all the ingredients we need to determine the number of representations of 
a positive integer as the sum of two squares using the unique factorization theorem for 
the Gaussian integers. Recall that we determined which positive integers can be written 
as the sum of two squares in Theorem 13.6 in Section 13.3. 


Theorem 14.13. Suppose that n is a positive integer with prime power factorization 


e1 ,e fish fi 
n= 2" pi'py? +++ DSqi'45" °° G's 
where m is a nonnegative integer, p,, P2,..., Ps are primes of the form 4k + 1, qj, 
q2,---, 4, are primes of the form 4k + 3, e;, en..., e, are nonnegative integers, and 
Fife, ---, ff are even nonnegative integers. Then there are 


4(e,+ D(eg+ 1)---(e,+D 


ways to express 7 as the sum of two squares. (Here the order in which squares appear in 
the sum and the sign of the integer being squared both matter.) 


Proof. To count the number of ways to write n as the sum of the squares, that is, the 
number of solutions (a, b) of n = a” + b”, we can count the number of ways to factor n 
into Gaussian integers a + ib and a — ib, that is, to write n = (a + ib)(a — ib). 


We will use the factorization of m to count the number of ways we can factor 
n as the product of two conjugates, that is, n = (a + ib)(a — ib). First, note that by 
Theorem 14.11, for each prime p, of the form 4k + 1 that divides 1, there are integers 
a, and b, such that p,; = a? + be Also note that because 1+ i =i(1—i), we have 


2” =(14+i)"(1—i)™ = (01 — i))™(1— i)” =i" — i). 


Consequently, we have 
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n= i" (1 — i)?” (ay + dyi)*1(@y — dyi) "(ay + boi) (ay — bai) 
: (a, = b,i)*s (a, + b,i)*qygo? ac q,t*. 


Next, note that € = i” is a unit because it takes on one of the values 1, —1, i, or —i. This 
means that a factorization of n into the product of a unit and Gaussian primes is 


n = €(1— i)?" (a, + dyi)(ay — byt) "(ay + boi) (ay — boi)? 
aay (a, 1s b,i)°s(a, ae b,i)*qyqn?? —— qh. 


Because the Gaussian integer u + iv divides n, its factorization into a unit and Gaussian 
primes must have the form 


u + iv = €q(1 — i)” (ay + dyi)®!(ay — byi)"(ay + bai) (ay — bai) 
: ; k 
- (a, + b,i)® (a, — bi)*sqh gat... g,*, 


where €g is a unit, w, g],..., 25, 41,...,hs, and k,,..., k, are nonnegative integers 
a aa fori=1,...,5, and 0 <k;< fj for j = 
enaste 


Forming the conjugate of u + iv, we find 
u — iv = %(1 + i)” (ay — byi)8"(ay + Bui)" (ag — byi)®? (az + bai)? 
(a, — byi)8*(a, + bgi)qhig?? --- gk. 
We can now rewrite the equation n = (u + iv)(u — iv) as 


w_gith, +h, 2k 2k, 
n=2" pi epee ge Sag,” 


Comparing this with the factorization of n into a unit and Gaussian primes, we 


see that w =m, gi th =e; fori=1,...,s, and 2k, = fi for j=1,...,t. We 
see that the values of w and k; for j = 1,..., t are determined, but we have e; + 1 
choices for g;, namely, g; = 0,1, 2,...,e;, and that once g; is determined, so is 


h; = e; — g;. Furthermore, we have four choices for the unit €9. We conclude that there 
are 4(e,; + l)(e2 + 1)--- (e, + 1) choices for the factor u + iv and for the number of 
ways to write n as the sum of two squares. = 


Example 14.11. Suppose that n = 25 = 5. Then by Theorem 14.13, there are 4 - 3 = 
12 ways to write 25 as the sum of two squares. (These are (43)? + (+4), (£4)? + (+43), 
(45)? + 02, and 0 + (+5)?. Note that the order in which terms appear matters when we 
count these representations.) 


Suppose that n = 90 = 2-5 - 3*. Then by Theorem 14.13, there are 4 - 2 = 8 ways 
to write 90 as the sum of two squares. (These are (+3)? + (+9)? and (+9)? + (+3). 
Note that the order in which terms appear matters when we count these representations.) 


Let n = 16,200 = 23 . 5 . 3+. By Theorem 14.13, there are 4 - 3 = 12 ways to write 
16,200 as the sum of two squares. We leave it to the reader to find these representations. 
< 
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Conclusion 


In this section, we used the Gaussian integers to study the solutions of the diophantine 
equation x? + y* =n, where n is a positive integer. The Gaussian integers are useful 
in studying a variety of other types of diophantine equations. For example, we can 
find Pythagorean triples using the Gaussian integers (Exercise 7), and we can find the 
solutions in rational integers of the diophantine equation x? + y? = z> (Exercise 8). 


EXERCISES 


. Determine the number of ways to write each of the following rational integers as the sum of 


squares of two rational integers. 
a) 5 b) 20 c) 120 d) 1000 


. Determine the number of ways to write each of the following rational integers as the sum of 


squares of two rational integers. 
a) 16 b) 99 c) 650 d) 1,001,000 


. Explain how to solve a linear diophantine equation of the form ax + By = y, where a, B, 


and y are Gaussian integers, so that the solution (x, y) is a pair of Gaussian integers. 


. Find all solutions in pairs of Gaussian integers (x, y) of each of these linear diophantine 


equations. 
a) (3+ 2i)x + 5y =7i b) 5x +(2-i)y=3 


. Find all solutions in pairs of Gaussian integers (x, y) of each of the following linear diophan- 


tine equations. 
a)(34+4i)x+B3-i)y=7 b)7+)x+07-i)y=1 


. Explain how to solve a linear diophantine equation of the form ax + By + 5z = y, where a, 


B, 6, and y are Gaussian integers, so that the solution (x, y, z) is a triple of Gaussian integers. 


. Prove the uniqueness part of Theorem 14.11. That is, show that if p is a prime of the form 


4k + land p =a? + b* =c? + d* where a, b, c and d are integers, then either a = c” and 
b* = d? or a? = d? and b? = c?. 


. In this exercise, we will use the Gaussian integers to find the solutions in pairs (x, y) of 


rational integers of the diophantine equation x2 + 1= y?. 

a) Show that if x and y are integers such that x2 + 1= y?, then x — i and x + arerelatively 
prime. 

b) Show that there are integers r and s such that x = r? — 3rs? and 3r2s — s3 = 1. (Hint: 
Use part (a) and Exercise 10 in Section 14.2 to show that there is a unit € and a Gaussian 
integer 5 such that x + i = (€5)3.) 

c) Find all solutions in integers x2 + 1= y? by analyzing the equations for r and s in part 


(b). 


. Use the Gaussian integers to prove Theorem 13.1 in Section 13.1, which gives primitive 


Pythagorean triples, that is, solutions of the equation x” + y* = z? in integers x, y, and 
z, where x, y, and z are pairwise relatively prime. (Hint: Begin with the factorization 
x? + y? = (x + iy)(x — iy). Show that x +iy and x — iy are relatively prime Gaussian 
integers, and then use Exercise 10 in Section 14.1.) 
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. Use the Gaussian integers to find all solutions of the diophantine equation x? + y” = z 
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3 in 


rational integers x, y, and z. 


. Prove the analog of Fermat’s little theorem for the Gaussian integers, which states that if a 


and z are relatively prime, then a%*)—! = 1 (mod z). (Hint: Suppose that p is the unique 
rational prime with z | p. Consider separately the cases where p = 1 (mod 4), p = 2 (mod 4), 
and p = 3 (mod 4).) 


Define ¢(y), where y is a Gaussian integer, to be the number of elements in a reduced residue 
system modulo y. Prove the analog of Euler’s theorem for the Gaussian integers, which states 
that if y is a Gaussian integer and a@ is a Gaussian integer that is relatively prime to y, then 


a?) = 1 (mod y). 


Prove the analog of Wilson’s theorem for the Gaussian integers, which states that if 7 is a 
Gaussian prime and {a), @, ..., @,} is a reduced system of residues modulo 7, then 


QQ ---a, =—1(modz). 


Show that in the Eisenstein integers (defined in Exercise 42 in Section 14.2), 
a) the rational prime 2 is an Eisenstein prime. 
b) arational prime of the form 3k + 2, where k is a positive integer, is an Eisenstein prime. 


c) arational prime of the form 3k + 1, where k is a positive integer, factors into the product 
of two primes that are not associates of one another. 


Computations and Explorations 


1. 


In Chapter 13, we mentioned that Catalan’s conjecture has been settled, showing that 2? and 
3? are the only powers of rational integers that differ by 1. An open question for Gaussian 
integers is to find all powers of Gaussian integers that differ by a unit. Show that (11+ 11i)? 
and (3i)°, (1 — i)° and (1+ 2i)?, and (78 + 78i)* and (23i)? are such pairs of powers. Can 
you find other such pairs? 


. Show that (3 + 131)? + (7+ i)? = (3 + 101)? + (14 10i)3, (6 + 3i)4 + (24+ 6i)* = (44+ 


2i)4 + (2+ i)*, (2+ 31 + 2-31 =F +1, (14 61)? + B— 21)? = (64 1) + (-24 
3i)°, (9 + 61)? + (3 — 10i)° = (6 + i)? + (6 — Si)°, and (15 + 14i)° + (5 — 184)? = (18 — 
Ti)> + (2 + 3i)°. Can you find other solutions of the equation x" + y" = w" + 2", where 
x, y, Z, and w are Gaussian integers and n is a positive integer? 


. Show that Beal’s conjecture, which asserts that there are no nontrivial solutions of the 


diophantine equation x? + y? = 2°, where a, b, andc are integers witha > 3, b > 3, andc > 3, 
does not hold when x, y, and z are allowed to be pairwise relatively prime Gaussian integers 
by showing that (—2 + i)? + (—2 — i)? = (14+ i)*. Can you find other counterexamples? 


Programming Projects 


1. 
2. 


Find the number of ways to write a positive integer n as the sum of two squares. 


Find all representations of a positive integer n as the sum of two squares. 


A. Axioms for the Set 
of Integers 


In this appendix, we state a collection of fundamental properties for the set of integers 
{..., —2, —1, 0, 1, 2, ...} that we have taken as axioms in the main body of the text. 
These properties provide the foundations for proving results in number theory. We begin 
with properties dealing with addition and multiplication. As usual, we denote the sum 
and product of a and b by a + b anda - b, respectively. Following convention, we write 
ab fora - b. 


© Closure: a + b anda - b are integers whenever a and b are integers. 

* Commutative laws:a +b=b+aanda-b=b.-a for all integers a and b. 

¢ Associative laws: (a+b) +c=a-+(b+c) and (a-b)-c=a- (b-c) for all integers 
a, b, andc. 

¢ Distributive law: (a + b)-c=a-c+b-c for all integers a, b, and c. 

° Identity elements:a + 0 =a anda - 1=<a for all integers a. 

e Additive inverse: For every integer a there is an integer solution x to the equation 
a+ x =0; this integer x is called the additive inverse of a and is denoted by —a. By 
b — a, we mean b + (—a). 

* Cancellation law: If a, b, and c are integers witha -c=b-c,c #0, thena =b. 


We can use these axioms and the usual properties of equality to establish additional 
properties of integers. An example illustrating how this is done follows. In the main body 
of the text, results that are easily proved from these axioms are used without comment. 


Example A.1. To show that 0- a = 0, begin with the equation 0 + 0 = 0; this holds 
because 0 is an identity element for addition. Next, multiply both sides by a to obtain 
(0+ 0) -a=0-a. By the distributive law, the left-hand side of this equation equals 
(0+0)-a=0-a+0-a. Hence, 0-a+0-a=0-a. Next, subtract 0-a from both 
sides (which is the same as adding the inverse of 0 - a). Using the associative law for 
addition and the fact that 0 is an additive identity element, the left-hand side becomes 
0-a+(0-a—0-a)=0-a+0=0-a. The right-hand side becomes 0-a —0-a=0. 
We conclude that 0 - a = 0. < 


Ordering of integers is defined using the set of positive integers {1, 2, 3, .. .}. We 
have the following definition. 


Definition. Ifa and b are integers, then a < b if b — a is a positive integer. If a < b, 
we also write b > a. 
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Note that a is a positive integer if and only if a > 0. 
The fundamental properties of ordering of integers follow. 


¢ Closure for the positive integers: a + b anda - b are positive integers whenever a and 
b are positive integers. 


¢ Trichotomy law: For every integer a, exactly one of the statements a > 0, a = 0, and 
a < Ois true. 


The set of integers is said to be an ordered set because it has a subset that is closed 
under addition and multiplication and because the trichotomy law holds for every integer. 


Basic properties of ordering of integers can now be proved using our axioms, as the 
following example shows. Throughout the text, we have used without proof properties 
of ordering that easily follow from our axioms. 


Example A.2. Suppose that a, b, and c are integers with a < b and c > 0. We can 
show that ac < bc. First, note that by the definition of a <b we have b—a>0. 
Because the set of positive integers is closed under multiplication, c(b — a) > 0. Because 
c(b — a) = cb — ca, it follows that ca < cb. < 


We need one more property to complete our set of axioms. 


¢ The well-ordering property: Every nonempty set of positive integers has a least ele- 
ment. 


We say that the set of positive integers is well ordered. On the other hand, the set of all 
integers is not well ordered, because there are sets of integers that do not have a smallest 
element (as the reader should verify). Note that the principle of mathematical induction 
discussed in Section 1.3 is a consequence of the set of axioms listed in this appendix. 
Sometimes, the principle of mathematical induction is taken as an axiom replacing 
the well-ordering property. When this is done, the well-ordering property follows as 
a consequence. 


EXERCISES 


. Use the axioms for the set of integers to prove the following statements for all integers a, b, 


and c. 
aja-(b+c)=a-b+a-c chat+(b+c)=(c+a)+b 
b) (a+b)? =a*+2ab+b* d)(b—a)+(c—b)+(a—c)=0 


. Use the axioms for the set of integers to prove the following statements for all integers a and 


b. 
a) (-l)-a=-—a c) (—a) - (—1) = ab 
b) —(a-b) =a - (—b) d) —(a + b) = (—a) + (—b) 


3. What is the value of —0? Give a reason for your answer. 
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. Use the axioms for the set of integers to show that if a and b are integers with ab = 0, then 
a=0O0orb=0. 


. Show that an integer a is positive if and only if a > 0. 


6. Use the definition of the ordering of integers, and the properties of the set of positive integers, 


to prove the following statements for integers a, b, and c with a < b andc < 0. 
ayat+c<b+c c)ac > be 
b) a2 >0 d)c? <0 


7. Show that if a, b, and c are integers with a > b and b> c, thena >c. 


. Show that there is no positive integer that is less than 1. 
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Sums of two terms are called binomial expressions. Powers of binomial expressions are 
used throughout number theory and throughout mathematics. In this section, we will 
define the binomial coefficients and show that these are precisely the coefficients that 
arise in expansions of powers of binomial expressions. 


Definition. Let m and k be nonnegative integers with k < m. The binomial coefficient 
(7) is defined by 


(@ ms m! 
kk) km —k)! 


When k and m are positive integers with k > m, we define (7) = 0. 


In computing (y we see that there is a good deal of cancellation, because 


m\ _ m! _ 1-2-3---(m—k)(m—k+1)---(m—1)m 
()-aoH k!1-2-3---(m—k) 
_ (m—k+1)---(m—1)m 
k! 


Example B.1. To evaluate the binomial coefficient (3), we note that 


We now prove some simple properties of binomial coefficients. 
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Theorem B.1. Let 7 and k be nonnegative integers with k <n. Then 
n n 
i = = 1, and 
® (=) 
Be n n 
ii = ‘ 
© G)-(",) 


Proof. To see that (i) is true, note that 


and 


To verify (ii), we see that 


()- n! = n! =( n ) 
k) klin-k! M@—-Din-(n—b)! \W—k/’ 


An important property of binomial coefficients is the following identity. 


Theorem B.2. Pascal’s Identity. Letn and k be positive integers with n > k. Then 


(Ea rian Eo ae 


Proof. We perform the addition 


WE ee n! ie n! 
k k-1)) kYtm-k! (k-Din—-k+D! 


by using the common denominator k!(n — k + 1)!. This gives 


(") +( n ) =e nik 

k k-1 kln—k+1)! kin—k+1)! 
_n(n—-k+1)+k) 
«kin —k +2)! 
_ alat+) 
kin —k+D)! 
_ _(@+)D! 

~ kMn—k+2)! 


‘ + ' 

= ] 
k 

Using Theorem B.2, we can construct Pascal’s triangle, named after French math- 


C) ematician Blaise Pascal, who used the binomial coefficients in his analysis of gambling 
games. In Pascal’s triangle, the binomial coefficient (7) is the (k + 1)st number in the 
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(n + 1)st row. The first nine rows of Pascal’s triangle are displayed in Figure B.1. Pas- 
cal’s triangle appeared in Indian and Islamic mathematics several hundred years before 
it was studied by Pascal 


121 
13° 301 
14641 
15101051 
1615 20 15 61 
1: 7-21 35 35° 21571 
1 8 28 56 70 56 28 8 1 


Figure B.1 Pascal's triangle. 


We see that the exterior numbers in the triangle are all 1. To find an interior number, 
we simply add the two numbers in the positions above, and to either side, of the position 
being filled. From Theorem B.2, this yields the correct integer. 


Binomial coefficients occur in the expansion of powers of sums. Exactly how they 
occur is described by the binomial theorem. 


Theorem B.3. The Binomial Theorem. Let x and y be variable, and n be a positive 
integer. Then 


(x+y)? = (3)=" + We + 9 coe +e: 


or, using summation notation, 


Pascal’s triangle, and gave what is considered to be the first lucid description of the principle of 
mathematical induction. In 1654, catalyzed by an intense religious experience, Pascal abandoned his 
mathematical and scientific pursuits to devote himself to theology. He ceturned to mathematics only 
once: one night, he had insomnia caused by the discomfort of a toothache and, as a distraction, he 
studied the mathematical properties of the cycloid. Miraculously, his pain subsided, which he took as 
a signal of divine approval of the study of mathematics. 


BLAISE PASCAL (1623-1662) exhibited his mathematical talents early even 
though his father, who had made discoveries in analytic geometry, kept math- 
ematical books from him to encourage his other interests. At 16, Pascal dis- 
covered an important result concerning conic sections. At 18, he designed a 
calculating machine, which he had built and successfully sold. Later, Pascal 
made substantial contributions to hydrostatics. Pascal, together with Fermat, 
laid the foundations for the modern theory of probability. It was in his work 
on probability that Pascal made new discoveries concerning what is now called 
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(xt+ty)"= 2 Cua 
j=0 J 


Proof. Weuse mathematical induction. When n = 1, according to the binomial theorem, 


the formula becomes 
(x+y)'= (3)=° oe (1) 


But because () = (;) = |, this states that (x + y)! =x + y, which is obviously true. 


We now assume that the theorem is wue for the positive integer n, that is, we assume 
that 


@t+y"=)> (")ar-¥y 
j-o 


We must now verify that the corresponding formula holds with n replaced by n + 1, 
assuming the result holds for n. Hence, we have 


(xtytl=a+y)"(+y) 


DE ("sry (x+y) 


jo 
n n 
= > (")arvtty fe > ("er iye 
j=o J j-o 


We see, by removing terms from the sums and subsequently shifting indices, that 


n n 
5 (Marvy aartt (Marty 


j rae 


and 


n n—1 
ye ("jar ty (")er2y! 4 yntl 


J 

n 
zi y ( . n ey af yet 
Hence, we find that 


n 
(x Te —xntl a y (") a ( n )] xn -Itlyd + ae 
j=l 


J pol 


By Pascal’s identity, we have 


612 


Binomial Coefficients 


so we conclude that 


n 
(x ze yt = ntl ne 3 (" . Sat yl ae yrth 


j=l J 
n+l 
= S (" i ' n+1—-j,j 
=p. N 
This establishes the theorem. r) 


The binomial theorem shows that the coefficients of (x + y)” are the numbers in the 
(n + 1)st row of Pascal’s triangle. 


We now illustrate one use of the binomial theorem. 


Corollary B.1. Let n be a nonnegative integer. Then 
n n 
reavreh ()rvaZ() 
rer ‘9 
Proof. Let x = 1and y = 1 in the binomial theorem. : 


Corollary B.1 shows that if we add all elements of the (nm + 1)st row of Pascal’s 
triangle, we get 2”. For instance, for the fifth row, we find that 


()() oC) C)eli)-tetrereereres 


EXERCISES 

. Find the value of each of the following binomial coefficients. 
a) ('p) ) (3) e) (7) 
) (7) d) (5) F) (79) 


. Find the binomial coefficients (), (), and Co); and verify that () + () = (‘?). 


. Use the binomial theorem to write out all terms in the expansions of the following expressions. 


a) (a+b)? c)(m—n)! e) 3x — 4y)> 
b)(x+y)!© = dd) (2a +.3b)4—s f) (Sx + 798 


. What is the coefficient of x99 y!™ in (2x + 3y)200? 


. Let n be a positive integer. Using the binomial theorem to expand (1 + (—1))”, show that 


ye-v'(") =0. 
k=0 k 


. Use Corollary B.1 and Exercise 5 to find 
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()+()+G)+ 
1 3 5 
7. Show that ifn, r, and k are integers with 0 < k <r <n, then 
Oleg elers 
r)\k) \k/\r -k) 


* §. What is the largest value of ("), where m is a positive integer and n is an integer such that 
0 <n < m? Justify your answer. 


( ) ( ‘ ah ( ) ( ) : 


where n and r are integers with 1<r <n. 


and 


The binomial coefficients (*), where x is a real number and n is a positive integer, can be defined 


recursively by the equations (3) =x and 


10. Show from the recursive definition that if x is a positive integer, then (3) — eee where k 
is a integer with 1<k <x. 


‘ Bg : ‘ ae +1 
11. Show from the recursive definition that if x is a positive integer, then (*) + (441) = ( ae 
whenever n is a positive integer. 


12. Show that the binomial coefficient (i); where n and k are integers with 0 < k <n, gives the 
number of subsets with k elements of a set with n elements. 


13. Use Exercise 12 to give an alternate proof of the binomial theorem. 


14. Let S be a set with n elements and let P; and P, be two properties that an element of S may 
have. Show that the number of elements of S possessing neither property P, nor property P, 
is 


n — [n(P,) +n(P2) —n(P;, Po)]; 


where n(P), n(P2), and n(P;, Pz) are the number of elements of S with property P,, with 
property P,, and both properties P; and P>, respectively. 


15. Let S be a set with n elements and let P,, P2, and P3 be three properties that an element S 
may have. Show that the number of elements of S possessing none of the properties P;, P>, 


and P3 is 
n — [n(P,) + n(P2) + n(P3)] 
—n(P;, Po) —n( Pi, P3) —n(P2, P3) +n(Py, Po, P3)], 
where n(P;,,..., P;,) is the number of elements of S with properties P;,..., P,- 


* 16. In this exercise, we develop the principle of inclusion-exclusion. Suppose that S is a set with 
n elements and let P;, P>,..., P, be t different properties that an element of S may have. 
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Show that the number of elements of S possessing none of the t properties is 
n — [n(P}) + n(P2) +--+ -+n(P,)] 
+ [n(Py, P2) +n(Pi, P3) +--+ + n(Pr-1, Pr)] 
—  [n( Pi, Po, P3) + n( Py, Po, Py) ++ +++ (Pra, Pris Pe) 

+++++(-1)'n(P,, | ee P,), 
where n(P;,, Pi,,---; i) is the number of elements of S possessing all of the properties 
Pies Pi, aaah P;,. The first expression in brackets contains a term for each property, the 
second expression in brackets contains terms for all combinations of two properties, the third 
expression contains terms for all combinations of three properties, and so forth. (Hint: For 
each element of S, determine the number of times it is counted in the above expression. If an 
element has k of the properties, show that itis counted 1 — (‘) + (5) —---+(- 1)* (7) times; 
this is 0 when k > 0, by Exercise 5.) 


. Whatare the coefficients of (x; + x2 +- +--+ x,,)”? These coefficients are called multinomial 


coefficients. 
Write out all terms in the expansion of (x + y + z)’. 


What is the coefficient of xy*z> in the expansion of (2x — 3y + 5z)!2? 


COMPUTATIONAL AND PROGRAMMING EXERCISES 


. Find the least integer n such that there is a binomial coefficient (i) where k is a positive 


integer greater than 1,000,000. 


Programming Projects 


1. 
2s 
3. 


Evaluate binomial coefficients. 
Given a positive integer 7, print out the first n rows of Pascal’s triangle. 


Expand (x + y)”, given a positive integer n, using the binomial theorem. 


C.1 


Using Maple and Mathematica 
for Number Theory 


Investigating questions in number theory often requires computations with large integers. 
Fortunately, there are many tools available today that can be used for such computations. 
This appendix describes how two of the most popular of these tools, Maple and Mathe- 
matica, can be used to perform computations in number theory. We will concentrate on 
existing commands in these two systems, both of which support extensive programming 
environments that can be used to create useful programs for studying number theory. We 
will not describe these programming environments here. 


Using Maple for Number Theory 


The Maple system is a comprehensive environment for numerical and symbolic compu- 
tations. It can also be used to develop additional functionality. We will briefly describe 
some of the existing support for number theory in Maple. For additional information 
about Maple, consult the Maple Web site at http://www.maplesoft.com. 


In Maple, commands for computations in number theory can be found in the 
numtheory package. Some useful commands for number theory are included in the 
standard set of Maple commands, and a few are found in other packages, such as the 
combinat package of combinatorics commands. You need to let Maple know when 
you want to use one or more commands from a package. This can be done in two 
ways: You can either load the package and then use any of its commands, or you can 
prepend the name of the package to a particular command. For example, after running 
the command with (numtheory), you can use commands from the numtheory package 
as you would standard commands. You can also run commands from this package by 
simply prepending the name of the package before the command. You will need to do this 
every time you use acommand from the package, unless you run the with (numtheory) 
command. 


Additional Maple commands for number theory can be found in the Maple V Share 
Library, which can be accessed at the Maplesoft Application Center on the Web. 


A useful reference for using Maple to explore number theory (and other topics in dis- 
crete mathematics) is Exploring Discrete Mathematics with Maple [Ro97] (an updated 
version available will available at the Web site for the seventh edition of [Ro07]). This 
book explains how to use Maple to find greatest common divisors and least common mul- 
tiples, apply the Chinese remainder theorem, factor integers, run primality tests, find base 
b expansions, encrypt and decrypt using classical ciphers and the RSA cryptosystem, and 
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perform other number theoretic computations. Also, Maple worksheets for number the- 
ory and cryptography, written by John Cosgrave for a course at St. Patrick’s College in 
Dublin, Ireland, can be found at http://www.spd.dcu.ie/johnbcos/Maple_3rd_year.htm. 


Maple Number Theory Commands 


The Maple commands relevant to material in this text are presented according to the 
chapter in which that material is covered. These commands are useful for checking com- 
putations in the text, for working or checking some exercises, and for the computations 
and explorations at the end of each section. Furthermore, programs in Maple can be 
written for many of the explorations and programming projects listed at the end of each 
section. For information about programming in Maple, consult the appropriate Maple ref- 
erence materials, such as the introductory and advanced programming guides available 
on the Maplesoft Web site. 


Chapter 1 


combinat [fibonacci] (n) computes the nth Fibonacci number. 

iquo (int, , int) computes the quotient when int, is divided by into. 

irem (int, ,int.) computes the remainder when int, is divided by int. 

floor (expr) computes the largest integer less than or equal to the real expression expr. 
numtheory [divisors] (n) computes the positive divisors of the integer 7. 


Maple code for investigating the Collatz 3x + 1 problem has been written by Gaston 
Gonnet and is available in the Maple V Release 5 Share Library. 


Chapter 2 
convert (int, base, posint) converts the integer int in decimal notation to a list 
representing its digits base posint. 


convert (int,binary) converts the integer int in decimal notation to its binary equiv- 
alent. 


convert (int,hex) converts the integer int in decimal notation to its hexadecimal 
equivalent. 


convert (bin,decimal,binary) converts the integer bin in binary notation to its 
decimal equivalent. 


convert (oct ,decimal ,octal) converts the integer oct in octal notation to its decimal 
equivalent. 


convert (hex ,decimal, octal) converts the integer hex in hexadecimal notation to its 
decimal equivalent. 
Chapter 3 


isprime(n) tests whether 7m is prime. 
ithprime(m) calculates the nth prime number where n is a positive integer. 


C.1 Using Maple for Number Theory 617 


prevprime(n) calculates the largest prime smaller than the integer n. 

numbertheory [fermat] (m) calculates the nth Fermat number. 

ifactor(n) finds the prime-power factorization of an integer n. 

ifactors(n) finds the prime integer factors of an integer n. 

igcd(int,,..., int,) computes the greatest common divisor of integers int), ..., int,. 


igcdex (int), int.) computes the greatest common divisor of the integers int, and int, 
using the extended Euclidean algorithm, which also expresses the greatest common 
divisor as a linear combination of int, and int. 


ilcm(int,, ..., int,,) computes the least common multiple of the integers int), .. . , int,. 


Chapter 4 


The operator mod can be used in Maple; for example, 17 mod 4 tells Maple to reduce 17 
to its least residue modulo 4. 


msolve(eqn,m) finds the integer solutions modulo m of the equation eqn. 


chrem([n,...,7,], [m,, ..., m,]) computes the unique positive integer int such that 
int mod m; =n; fori =1,...,r. 
Chapter 6 


numtheory [phi] (7) computes the value of the Euler phi function at n. 


Chapter 7 


numtheory [invphi] (n) computes the positive integers m with @(m) =n. 
numtheory[sigma] (n) computes the sum of the positive divisors of the integer n. 
numtheory [tau] (7) computes the number of positive divisors of the integer n. 


numbertheory [bigomega] (n) computes the value of Q2(m), the number of prime 
factors of n. 


numtheory [mersenne] (n) determines whether the nth Mersenne number M,, = 2” — 
1 is prime. 

numtheory [mobius] (7) computes the value of the M6bius function at the integer n. 
combinat [partition] (7) lists all partitions of the positive integer n. 


combinat [partition] (n, m) lists all patitions of the positive integer n with all parts 
not exceeding m. 


Chapter 9 


numtheory [order] (m,, n) computes the order of n,; modulo n. 
numtheory [primroot] (n) computes the smallest primitive root modulo n. 


numtheory [mlog] (1, nz, 13) computes the index, or discrete logarithm, of n, to the 
base n, modulo n3. (The function numtheory [index] (n, ny, n3) is identical to this 
function.) 
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numtheory [lambda] (n) computes the minimal universal exponent of n. 


Chapter 11 


numtheory [quadres] (int), int.) determines whether int, is a quadratic residue mod- 
ulo inty. 


numtheory [legendre] (n,, m2) computes the value of the Legendre symbol (21). 


numtheory[jacobi] (”,, n.) computes the value of the Jacobi symbol (2). 


numtheory [msqrt] (n;, nz) computes the square root of n,; modulo n. 


Chapter 12 

numtheory [pdexpand] (rat) computes the periodic decimal expansion of the rational 
number rat. 

numtheory [cfrac] (rat) computes the continued fraction of the rational number rat. 


numtheory [invcfrac] (cf) converts a periodic continued fraction cf to a quadratic 
irrational number. 


Chapter 13 


numtheory [sum2sqr] (nm) computes all sums of two squares that sum to n. 


Chapter 14 


Maple supports a special package for working with Gaussian integers. To use the com- 
mands in this package, first run the command 


with(GaussInt) ; 


After running this command, you can add, subtract, multiply, and form powers of 
Gaussian integers using the same operators as you ordinarily do. Maple requires that you 
enter the Gaussian integer a + ib as a + bxI. (That is, you must include the * operator 
between b and the letter I, which Maple uses to represent the imaginary number i.) 


GaussInt [GInearest] (c) returns the Gaussian integer closest to the complex number 
c, where the Gaussian integer of smallest norm is chosen in the case of ties. 

GaussInt [GIquo] (m, n) finds the Gaussian integer quotient when m is divided by n. 

GaussInt[GIrem] (m,n) finds the remainder Gaussian integer divisor when m is 
divided by n. 

GaussInt [GInorm] (m) gives the norm of the complex number m. 

GaussInt [GIprime] (m) returns wue when m is a Gaussian prime and false otherwise. 

GaussInt [GIfactor] (m) retums a factorization of m into a unit and Gaussian primes. 


GaussInt [GIfactors] (m) finds a unit and Gaussian prime factors and their multi- 
plicities in a factorization of the Gaussian integer m. 


GaussInt [GIsieve] (m), where m is a positive integer, generates a list of Gauss primes 
a+ib with 0 <a < b and norm not exceeding m2. 


C.2 


C.2 Using Mathematica for Number Theory 619 


GaussInt [GIdivisor] (m) finds the set of divisors of the Gaussian integer m in the 
first quadrant. 


GaussInt [GInodiv] (m) computes the number of nonassociated divisors of m. 


GaussInt [GIgcd] (m, m2,..., m,) finds the greatest common divisor in the first 
quadrant of the Gaussian integers m,, m7, ..., M,. 


GaussInt [GIgcdex] (a, b,'s','t') finds the greatest common divisor in the first 
quadrant of the Gaussian integers a and b and finds integers s and ¢ such that as as + bt 
equals this greatest common divisor. 


GaussInt [GIchrem] ([ap, a), ...,4,], [Up, uy, .-., u,]) computes the unique Gaus- 
sian integer m such that m is congruent to a; modulo u; fori = 1, 2,...,r. 


GaussInt[GIlcm] (a), ...,a,) finds the least common multiple in the first quadrant 
(that is, with positive real part and nonnegative part), in terms of norm, of the Gaussian 
integers a),...,4d,. 

GaussInt [GIphi] (7) returns the number of Gaussian integers in a reduced residue set 
modulo n, where n is a Gaussian integer. 


GaussInt [GIquadres] (a, b) returns 1 if the Gaussian integer a is a quadratic residue 
of the Gaussian integer b and —1 if a is a quadratic nonresidue of b. 


Appendices 


binomial (n, r) computes the binomial coefficient n choose r. 


Using Mathematica for Number Theory 


The Mathematica system provides a comprehensive environment for numerical and 
symbolic computations. It can also be used to develop additional functionality. We will 
describe the existing Mathematica support for computations relating to the number 
theory covered in this text. For additional information on Mathematica, consult the 
Mathematica Web site at http://www.mathematica.com. 


Mathematica supports many number theory commands as part of its basic system. 
Additional number theory commands can be found in Mathematica packages that are 
collections of programs implementing functions in particular areas. The Mathematica 
system bundles some add-on packages, called standard packages, with its basic of- 
ferings. These standard packages include a group supporting commands for functions 
from number theory, including ContinuedFractions, FactorIntegerECM, Num- 
berTheoryFunctions, and PrimeQ. There are other Mathematica packages that can 
be obtained using the Internet; access them at http://www.mathsource.com. Consult the 
Mathematica Book [Wo03] to leam how to load and use them. 


You cannot use a command form package without having first told Mathematica that 
you want to run commands from this package, which is done by loading it. For example, 
to load the package NumberTheoryFunctions, use the command 
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In[1] :=NumberTheory ‘NumberTheoryFunctions ‘ 


Another resource for using Mathematica for number theory computations is Math- 
ematica in Action by Stan Wagon [Wa99]. This book contains useful discussions of how 
to use Mathematica to investigate large primes, run extended versions of the Euclidean 
algorithm, solve linear diophantine equations, use the Chinese remainder theorem, work 
with continued fractions, and generate prime certificates. 


Number Theory Commands in Mathematica 


The Mathematica commands relevant to material covered in this book are presented here 
according to the chapter in which that material is covered. (The command for loading 
these functions if they are part of add-on packages is also provided.) These commands 
are useful for checking computations in the text, for working or checking some of the 
exercises, and for the computations and explorations at the end of each section. Fur- 
thermore, it is possible to write programs in Mathematica for many of the explorations 
and programming projects listed at the end of each section. Consult Mathematica ref- 
erence materials, such as the Mathematica Book [Wo03], for information about writing 
programs in Mathematica. 


Chapter 1 


Fibonacci [nm] gives the mth Fibonacci number f,,. 
Quotient [m, n] gives the integer quotient when m is divided by n. 
Mod[m,n] gives the remainder when m is divided by n. 
The Collatz (3x + 1) problem has been implemented in Mathematica by Ilan Vardi. 


You can access this Mathematica package at http://library.wolfram.com/infocenter/ 
Demos/153/. 


Chapter 2 


IntegerDigits|[n, b] gives a list of the base b digits of n. 


Chapter 3 


PrimeQ[n] produces output True if n is prime and False if n is not prime. 
Prime [n] gives the nth prime number. 
PrimePi[x] gives the number of primes less than or equal to x. 


In[1] :=NumberTheory ‘NumberTheoryFunctions ‘ 
NextPrime[n] gives the smallest prime larger than n. 


GCD [n,, nz, ...,,] gives the greatest common divisor of the integers n,, nz, ... , Nx. 


ExtendedGCD [n, m] gives the extended greatest common divisor of the integers n 
and m. 


LCM[n,, n2,..-, Mz] gives the least common multiple of the integers n,, n, ... , ny. 


FactorInteger [n] produces a list of the prime factors of n and their exponents. 
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Divisors[n] gives a list of the integers that divide n. 
IntegerExponent [n, b] gives the highest power of b that divides n. 


In[1] :=NumberTheory ‘NumberTheoryFunctions ‘ 
SquareFreeQ[n] returns True if n contains a squared factor and False otherwise. 


In[1] :=NumberTheory ‘FactorIntegerECM ‘ 
FactorIntegerECM [n] gives a factor of a composite integer n produced using Lenstra’s 
elliptic curve factorization method. 


Chapter 4 


Mod [k, n] gives the least nonnegative residue of k modulo n. 
Mod [k, n, 1] gives the least positive residue of k modulo n. 
Mod[k, n, —n/2] gives the absolute least residue of k modulo n. 


PowerMod [a, b, n] gives the value of a? mod n. Taking b = —1 gives the inverse of a 
modulo n, if it exists. 


In[1] :=NumberTheory ‘NumberTheoryFunctions ‘ 

ChineseRemainder [list,, list,] gives the smallest nonnegative integer r such that 
Mod [r, list.] equals list}. (For example, ChineseRemainder [{r,, rz}, {m ,m>}] pro- 
duces the solution of the simultaneous congruence x = 7; mod m, and x =r, mod m,.) 


Chapter 6 


EulerPhi [n] gives the value of the Euler phi function at n. 


Chapter 7 


DivisorSigmal[k, n] gives the value of the sum of the kth powers of divisors function 
at n. Talaing k = 1 gives the sum of divisors function at n. Taking k = 0 gives the number 
of divisors of n. 


MoebiusMu[n] gives the value of u(n). 
PartitionsP[n] gives p(n), the number of partitions of the positive integer n. 
IntegerPartitions [n] gives a list of all partitions of the integer n. 


IntegerPartitions [n, k] gives a list of partitions of n into at most k integers. 


Chapter 8 


The RSA Public Key Cryptosystem has been implemented in Mathematica by Stephan 
Kaufmann. You can obtain the Mathematica package, instructions for how to use it, and 
a Mathematica notebook at http:/Nibrary.wolfram.com/infocenter/MathS ource/1966/. 


Chapter 9 


MultiplicativeOrder[k, n] gives the order of k modulo n. 


PrimitiveRoot [n] gives a primitive root of n when n has a primitive root, and does 
not evaluate when it does not. 
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In[1] :=NumberTheory ‘PrimeQ‘ 
PrimeQCertificate[n] produces a certificate verifying that n is prime or composite. 


CarmichaelLambda [mn] gives the minimal universal exponent A(n). 


Chapter 11 
JacobiSymbol [n, m] gives the value of the Jacobi symbol ( ). 


A 
m 
SqrtMod[d, n] gives a square root of d modulo n for odd n. 


Chapter 12 


RealDigits [x] gives a list of the digits in the decimal expansion of x. 
RealDigits[x, b] gives a list of the digits in the base b expansion of x. 
The following functions dealing with decimal expansions are part of the Number 


Theory ‘ContinuedFractions‘ package. Load this package using In[1] : =Number 
Theory‘Continued Fractions‘ before using them. 


PeriodicForm[{ap, ..., {a,,, ..-}}, exp] presents a repeated decimal expansion in 
terms of a preperiodic and a periodic part. 

PeriodicForm[{dg, ..., {@,,,.--}}, expr, b] represents a base b expansion. 

Normal [PeriodicForm [args] ] gives the rational number corresponding to a decimal 
expansion. 


The following functions dealing with continued fractions are part of the Number 
Theory ‘Continued Fractions‘ package. Load this package using In[1] :=Number 
Theory‘Continued Fractions‘ before using them. 


ContinuedFraction[x, n] gives the first n terms of the continued fraction expansion 
of x. 


ContinuedFraction[x] gives the complete continued fraction expansion of a qua- 
dratic irrational number. 


FromContinued Fraction[list] finds a number from its continued fraction expan- 
sion. 


ContinuedFractionForm[{do, a, . . .}] represents the continued fraction with partial 
quotients ag, a,... 

ContinuedFractionForm|[{ao, a),...,{Po, Pi, - - -}}] represents the continued frac- 
tion with partial quotients dp, a; .. . and additional quotients p;, p2,.... 

Normal [ContinuedFractionForm[quotients]] gives the rational or quadratic irra- 
tional number corresponding to the given continued fraction. 


Convergents [rat] gives the convergents for all terms of the continued fraction of a 
rational or quadratic irrational x. 


Convergents [num, terms] gives the convergents for the given number of terms of the 
continued fraction expansion of num. 


Convergents [cf] gives the convergents for the particular continued fraction cf re- 
turned from ContinuedFraction or ContinuedFractionForn. 
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QuadraticIrrationalQ [expr] tests whether expr is a quadratic irrational. 


Chapter 14 
Divisors[n, GaussianIntegers -> True] lists all Gaussian integer divisors of the 
Gaussian integer n. 


DivisorSigma[k, n, GaussianIntegers -> True] gives the sum of the kth powers of 
the Gaussian integer divisors of the Gaussian integer n. 


FactorInteger [n, GaussianIntegers -> True] produces a list of the Gaussian prime 
factors of the Gaussian integer n with positive real parts, and nonnegative imaginary 
parts, their exponents, and a unit. 


PrimeQ[n, GaussianIntegers -> True] returns the value of True if n is a Gaussian 
prime and False otherwise. 


Appendices 


Binomial [n, m] gives the values of the binomial coefficient ("). 
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Number Theory Web Links 


In this appendix, we provide an annotated list of key number theory Web sites. These 
sites are excellent starting points for an exploration of number theory resources on the 
Web. At the time of publication of this book, these sites could be found at the URLs 
listed here. However, with the ephemeral nature of the Web, the addresses of these sites 
may change, they may cease to exist, or their content may change, and neither the author 
nor the publisher of this book is able to vouch for the contents of these sites. If you have 
trouble locating these sites, you may want to try using a search engine to see whether 
they can be found at anew URL. You will also want to consult the comprehensive guide 
to all the Web references for this book at http://www.awlonline.com/rosen. This guide 
will help you locate some of the more difficult-to-find sites relevant to number theory 
and to cryptography. 


The Fibonacci Numbers and the Golden Section (http://www.maths.surrey.ac.uk 
/hosted-sites/R.Knott/Fibonacci/) 


An amazing collection of information about the Fibonacci numbers, including their 
history, where they arise in nature, puzzles involving the Fibonacci numbers, and their 
mathematical properties can be found on this site. Additional material addresses the 
golden section. An extensive collection of links to other sites makes this an excellent 
place to start your exploration for information about Fibonacci numbers. 


The Prime Pages (http://www.utm.edu/research/primes/) 


This is the premier site for information about prime numbers. You can find a glossary, 
primers, articles, the Prime FAQ, current records, conjectures, extensive lists of primes 
and prime factorizations, as well as links to other sites, including those that provide 
useful software. This is a great site for exploring the world of primes! 


The Great Internet Prime Search (http://www.mersenne.org) 


Find the latest discoveries about Mersenne primes at this site. You can download software 
from this site to search for Mersenne primes, as well as primes of other special forms. 
Links to other sites related to searching for primes and factoring are provided. This is 
the site to visit to sign up for the communal search for a new prime of world-record size! 
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The MacTutor History of Mathematics Archives (http://www-groups.dcs.st-and.ac. 
uk/history/index.html) 


This is the main site to visit for biographies of mathematicians. Hundreds of important 
mathematicians from ancient to modern times are covered. You can also find essays on 
the history of important mathematical topics, including the prime numbers and Fermat’s 
last theorem. 


Frequently Asked Questions in Mathematics (http://www.cs.uwaterloo.ca/~alopez- 
o/math-faq/math-faq.html) 


This is a compilation of the frequently asked questions from the USENET newsgroup 
sci.math. It contains several sections of questions relating to number theory, including 
primes and Fermat’s last theorem, as well as a potpourri of historical information and 
mathematical trivia. 


The Number Theory Web (http://www.numbertheory.org/ntw/web.html) 


This site provides an amazing collection to links to sites containing information relevant 
to number theory. You can find links to sites providing software for number theory cal- 
culations, course notes, articles, online theses, historical and biographical information, 
conference information, job postings, and everything else on the Web related to number 
theory. 


RSA Labs-Cryptography FAQ (http://www.rsa.com/products/bsafe/documentation 
/crypto-c_me21html/RSA_Labs_FAQ_4.1.pdf/) 


This site provides an excellent overview of modern cryptography. You can find de- 
scriptions of cryptographic applications, cryptographic protocols, public and private key 
cryptosystems, and the mathematics behind them. 


The Mathematics of Fermat’s Last Theorem (http://cgd.best.vwh.net/home/fit/fit01 
-htm) 

This site provides an excellent introduction to Fermat’s last theorem. It provides discus- 
sions of each of the important topics involved in the proof of the theorem. 

NOVA Online-The Proof (http://www.pbs.org/wgbh/nova/proof) 


This site provides material relating to a television program on the proof of Fermat’s last 
theorem. Included are transcripts of the program and of an interview with Andrew Wiles, 
as well as links to other sites on Fermat’s last theorem. 
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E Tables 


Table E.1 gives the least prime factor of each odd positive integer less than 10,000 and 
not divisible by 5. The initial digits of the integer are listed to the side, and the last digit 
is at the top of the column. Primes are indicated with a dash. The table is reprinted with 
permission from U. Dudley, Elementary Number Theory, Second Edition, Copyright © 
1969 and 1978 by W. H. Freeman and Company. All rights reserved. 


Table E.3 gives the least primitive root r modulo p for each prime p, p < 1000. 


Table E.4 is reprinted with permission from J. V. Uspensky and M. A. Heaslet, Elemen- 
tary Number Theory, McGraw-Hill Book Company. Copyright © 1939. 


Tables 627 
13 7 9 13 7 9 13 7 9 1 3 9 
OS eis 4 40 — 13 11 — 80 3 11 3 — 
——— 3 a ead A, 81 — 3 19 3 
yr Aina BAS a ee 
2. Be. B AZ Se, 19° 83 3 7 3— 
ne, | a a 84 29 3 7 3 
Se. Bae 45 11 3 — 3 ek re 
6=—] 3: = 3 46-7 86 3 — 3 ll 
Lit AT 3 1-3 = 87 13 3 — 3 
a rn, ee 48 13 3 — 3 ey 
9 73— 3 AQ HIF — 89 3 19 3 29 
—— a 50 3 — = 9017 3 — 3 
11 3— 3 7 51 7 3 11 3 91 — 11 7 — 
1211 3 — 3 52. SS 1 92313 3 — 
19 OP eS 53 313 3 7 3 7 3— 3 
4311 3 — of rn ee 94 — 23 — 13 
157 nae 3 55 19 7 — 13 95 3— 3 7 
146 7— — 13 563 — 3 — 9 31 3 — 3 
i a en of nes ee, 7 — 7— 11 
18 — 3 11 3 58 7 11 — 19 98 3 — 3 23 
er 59 3 — 3 — 9 — 3 — 3 
200 3 7 311 60° 35.9 100 7 17 19 — 
OG GD. A 3 61 13 SS 101 3— 3 — 
W218 Se 62 3 7 317 1022 — 3 13 3 
3.3. 3.— 6 — 3 7 3 103. Sa IT 
24— 313 3 64 — — — 11 104 373— 
25 So 1 Se 7 6 3.— s— 105 — 3 7 3 
263 — 3 — 66 — 3 23 3 106 — — 11 — 
OF =>. Bie, 3 6f Ti. HS 7 107 3 29 3 13 
28 est OE AG 68 3 — 3 13 108 23 3 — 3 
29 3 — 3 13 69 — 3 17 3 109 SS 7 
30 7 3 — 3 70 — 19 7 — 110 3 — 3 — 
aes Bl 71 3 23 = 111 11 3 — 3 
32 317 3 +7 (a a | 11219 = oS 
a BoP Tk 113 3 11 3 17 
34 11 7 — — fae S32 S Beg 114 7 3 31 3 
35 3 — 3 — 15 3 a= 3 115 — — 13 19 
36 19 3 — 3 166 ==) 7 13. 1146 3— 3 7 
37°. F-— 13. 77 3 — 3 19 117 — 3 11 3 
38 PS a 78 11 3 — 3 118 — 7 — 29 
39 17 3 — 3 79 7 13 — 17 119 3 — 3 11 


Table E.1 Factor table. 
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13 7 9 13 7 9 13 7 9 
200 3 — 3 7 240 7 3 29 3 280 — — 7 53 
201 — 3 — 3 241 — 19 — 41 281 3 29 3 — 
202 438 7 — — 2422 3 — 3 7 282 7 3 11 3 
203 3 19 3 — 243 11 3 — 3 283 19 — — 17 
204 13 3 23) 3 244 — 7 — 31 284 3 — 3 7 
205 7 — ll 29 245 3 11 3 — 285 — 3 — 3 
206 3 — 3 — 246 23 3 — 3 286 — 7 47 19 
207 19 3 31 3 247 7 — — 37 287 3 13 3 — 
208 — — — — 248 13 3 19 288 43 3 — 3 
209 3 7 3 — 249 47 3 11 3 289 7 11 — 13 
210 11 3 7 3 250 41 — 23 13 290 3 — 3 — 
211 — — 29 13 251 3 7 3 iil 291 41 3 — 3 
212 3 11 3 — 252 — 3 7 3 292 23 37 — 29 
213 — 3 — 3 253 — 17 43 — 2933 3 7 3 — 
214 — — 19 7 254 3 — 3 — 294 17 3 7 3 
215 3 — 317 255 — 3 — 3 295 13 — — ll 
216 — 3 11 3 256 13 11 17 7 296 3 — 3 — 
217 13 41 7 — 257 3 31 3 — 297 — 3 13 3 
218 3 37 3 Ii 258 29 3 13 3 298 11 19 29 7 
219 7 3 13 3 259 — — 7 23 299 3 41 3 — 
220 31 — — 47 260 3 19 3 — 300 — 3 31 3 
221 3 — 3 7 261 7 3— 3 301 — 23 7 — 
222 — 3 17 3 262 — 43 37 11 302 3 — 13 
223 23 7 — — 263 3 — 3 7 303 7 3 — 3 
224 3 — 3 13 264 19 3 — 3 304 — 17 11 — 
225 — 3 37 3 265 11 7 — — 305 3 43 3 7 
226 7 31 — — 266 3 — 3 17 306 — 3 — 3 
227 3 — 3 43 267 — 3 — 3 307 37 7 17 — 
228 — 3 — 3 268 7 — — — 308 3 — 3 — 
229 29 — — I1 269 3 — 3 — 309 11 3 19 3 
230 3 7 3 — 270 37 3 — 3 310 7 29 13 — 
231 — 3 7 3 271 — — ll — 311 3 11 3 — 
232 11 23 13 17 272 3 7 3 — 312 — 3 53 3 
233 3 — 3 — 273 — 3 7 3 313 31 13 — 43 
234 — 3 — 3 274 — 13 41 — 314 3 7 3 47 
235 — 13 — 7 275 3 — 3 3i1 315 23 3 7 3 
236 3 17° 3 23 276 11 3 — 3 316 29 — — — 
237 — 3 — 3 277 17 47 — 7 317 3 19 3 11 
238 — — 7 — 278 3 11 3 — 318 — 3 — 3 
239 3 — 3 — 279 — 3 — 3 319 — 31 23 


Table E.1 (continued) 
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13 7 9 13 7 9 13 7 9 13 7 9 
360 13 3 — 3 400 — — — 19 4400 3 7 3— 
361 23 — — 7 401 3 — 3 — 441 11 3 7 3 
362 3 — 3 19 402 — 3 — 3 442 — — 19 43 
363 — 3 — 3 403 29 37 11 7 448 3 11 3 23 
364 11 — 7 41 404 3 13 3 — 44—- 3 — 
365 3 13 3 — 405 — 3 — 3 445 — 61 — 
366 7 3 19 3 406 31 17 7 13 446 3 — 3 41 
367 — — — 13 407 3 — 3 — 447 17 3 11 3 
368 3 29 3 7 408 7 3 61 3 448 — — 7 67 
369 — 3 — 3 409 — — 17 — 449 3 — 3 11 
370 — 7 ll — 410 3 11 3 7 450 7 3 — 3 
371 3 47 3 — 411 — 3 23 3 451 13 — — — 
372 61 3 — 3 412 13 7 — — 452 3 — 3 7 
373 7 — 37 — 413 3 — 3 — 453 23 3 13 3 
374 3 19 3 23 414 41 3 11 3 454 19 7 — — 
375 11 3 13 3 415 7 — — — 455 3 29 3 47 
376 — 53 — — 4146 3 23 3 ll 456 — 3 — 3 
377 3 3 — 417 48 3 — 3 457 7 17 23 19 
378 19 3 7 3 418 37 47 53 59 458 3 — 3 13 
379 17 — — 29 419 3 7 3 13 459 — 3 — 3 
380 3 — 3 31 4200 — 3 7 3 460 43 — 17 ll 
381 37 3 11 3 421 — ll — — 461 3 7 3 31 
382 — — 43 7 422 3 41 3 — 442 — 3 7 3 
383 3 — 3 Il 423 — 3 19 3 463 11 41 — — 
384 23 3 — 3 424 — — 31 7 444 3 — 3 — 
385 — — 7 17 4255 3 — 3 — 4645 — 3 — 3 
386 3 — 3 53 426 — 3 17 3 466 59 — 13 7 
387 7 3 — 3 427 — — 711 4647 3 — 3 — 
388 — 11 13 — 428 3 — 3 — 468 31 3 48 3 
389 3 17 3 7 429 7 3 — 3 469 — 13 7 37 
390 47 3 — 3 430 11 13 59 31 470 3 — 17 
391 — 7 — — 431 3 19 3 7 471 7 3 53 3 
392 3 — 3 — 432 29 3 — 3 472 — — 29 — 
393 — 3 31 3 433 61 7 — — 473 3 — 3 7 
394 7 — — Il 434 3 43 3 — 474 11 3 47 3 
395 3 59 37 3 435 19 3 — 3 475 — 7 67 — 
396 17 3 — 3 436 7 — 11 17 476 3 11 3 19 
397 11 29 41 23 437 3 — 3 29 477 13 3 17 3 
398 3 7 3 — 438 13 3 41 3 478 7 — — — 
399 13 3 7 3 439 — 23 — 53 479 3 — 3 — 


Table E.1 (continued) 
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13 7 9 1 3 
520 7 11 41 — 560 3 13 
521 3 13 3 17 561 31 3 
522 23 3 — 3 562 — 
523 — — — 13 563 43 
524 3 7 3 29 564 — 3 
525 59 3 7 3 565 — — 
526 — 19 23 11 566 3 7 
527 3 — 3 — 567 53 3 
528 — 3 17 3 568 13 — 
529 11 67 — 7 569 3 — 
530 3 — 3 — 570 — 3 
531 47 3 13 3 571 — 29 
532 17 — 7 73 572 3 59 
533 3 — 3 19 573 11 3 
534 7 3 — 3 574 — — 
535 — 53 11 23 575 3 ll 
536 3 31 3 7 576 7 3 
537 41 3 19 3 577 29 23 
538 — 7 — 17 578 3 — 
539 3 — 3 — 579 — 3 
540 11 3 — 3 580 — 7 
541 7 — — — 581 3 — 
542 3 ll 3 61 582 — 3 
543 — 3 — 3 583 7 19 
544 — — 13 — 584 3 — 
545 3 7 3 53 585 — 3 
546 48 3 7 3 586 — ll 
547 — 13 — — 587 3 
548 3 — 3 Il 588 — 
549 17 3 23 3 589 43 71 
550 — — — 7 590 3 — 
551 3 37 3 — 591 23 3 
552 — 3 — 3 592 31 — 
553 — ll 7 29 593 3 17 
554 3 23 3 31 594 13 3 
555 7 3 — 3 595 11 — 
556 67 — 19 — 596 3 67 
557 3 — 3 7 597 3 
558 — 3 37 3 598 — 31 
559 — 7 29 11 599 3 13 


Table E.1 (continued) 
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13 7 9 13 7 9 13 7 9 13 7 9 
640 37 19 43 13 680 3 — 3 ll 720 19 3 — 3 
641 3 11 3 +7 681 7 3 17 3 721 — — 7 — 

682 19 — — — 722 331 3 — 
683 3 — 3 7 723 7 3— 3 
684 — 3 41 3 724 13 — — ill 
685 13 7 — 19 725 3 — 3 

686 3 — 3 — 726 53 3 13 «3 
687 — 3 13 3 727 11 7 19 29 
688 7 — 71 83 728 3 — 3 37 
689 3 61 3 — 729 23 3 — 3 
690 67 3 — 3 730 7 67 — — 
691 — 31 — ll 731 3 71 3 13 
692 3 7 3 13 732 — 3 17 3 
693 29 3 7 3 733 — — ll 41 
694 11 53 — — 734 3°73 — 
695 3 17 3 — 735 — 3 7 3 
696 — 3 — 3 736 17 37 53 — 
697 — 19 — 7 737 3 73 3 47 
698 3 — 3 29 738 11 3 83 3 
699 — 3 — 3 739 19 — 13 7 
700 — 47 7 43 740 3 11 3 31 
701 3 — 3 — 741 — 3 — 3 
702 7 3 — 3 742 41 13 7 17 
703 79 13 31 — 743 3 — 3 43 
104° 3— 3 +7 744 7 3 11 3 
705 11 3 — 3 745 — 29 — — 
706 23 7 37 — 746 317 3 +7 
707 3 11 3 — 747 31 3 — 3 
708 73 3 19 3 748—- 7J— — 
709 7 41 47 31 749 3 59 3 — 
710 3— 3 — 750 13 3 — 3 
711 13° 3 11 «3 751 7 1 — 73 
M2 — 17 — — 752 3 — 3 — 
713 3 7 #3 «11 753 17 3 — 3 
714 37 3 7 3 754 — 19 — — 
715 — 23 17 — 755 3 3 — 
716 3 13 3 67 156 — 3 7 3 
717 71 3 — 3 757 67 — — Il 
718 43 11 — 7 758 3 — 3 — 
7119 3 — 3 23 7159 — 3 71 3 


Table E.1 (continued) 
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13 7 #9 13 7 9 
840 31 3 7 3 880 13 — — 23 
841 13 47 19 — 881 3 7 3 — 
842 3 — 3 — 882 — 3 7 3 
843 — 3 ll 3 883 — 11 — — 
844 23 — — 7 884 3 37 3 — 
845 3 799 3 Il 885 53 3 17 3 
846 — 3 — 3 886 — — — 7 
847 43 37 7 61 887 3 19 3 13 
848 3 17 3 13 888 83 3 — 3 
849 7 3 29 3 889 17 — 11 
850 — 11 47 67 890 29 3 «+59 
851 3 — 3 7 891 3 37 3 
852 — 3 — 3 892 11 — 79 — 
853 19 7 — — 893 3 — 3 7 
854 3 — 3 83 8944 — 3 23 3 
855 17 3 438 3 895 — 7 13 17 
856 7 — 13 Il 896 3 — 3 — 
857 3 — 3 23 897 — 3 47 3 
858 — 3 31 3 898 7 13 11 89 
859 11 13 — — 899 3 17 3 — 
860 3 3 — 900 — 3 — 3 
861 79 3 7 3 901 — — 71 29 
862 37 — — — 902 3 7 _— 
863 3 89 3 53 903 11 3 7 3 
864 — 3 — 3 904 — — 83 — 
865 41 17 11 7 9055 3 11 3 — 
866 3 — 3 — 906 13 3 — 
867 13 3 — 3 907 47 43 29 7 
868 — 19 7 — 908 3 31 3 61 
869 3 — 3 — 9099 — 3 11 3 
870 7 3 — 3 910 19 — 7 — 
871 31 — 239 — 911 31 11 
872 3 11 3 7 912 3 — 3 
873 — 3 — 3 913 23 — — 13 
874 — 7 — 13 914 341 3 7 
875 3 — 3 193 915 — 3 — 
876 — 3 ll 3 916 — 7 89 53 
877 7 31 67 — 917 3 — 3 67 
878 3 — 3 I! 918 — 3 — 3 
879 59 3 19 3 919 7 29 17 — 


Table E.1 (continued) 
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Lb 3:7 9 Ll) BF 39 13 7 9 
960 — 3 13 3 970 89 31 18 7 980 3 — 3 17 
961 7 — 59 — 971 3 11 3 — 981 — 3 — 3 
962 3 — 3 — 972 — 3 71 3 982 7 11 31 — 
963 — 3 23 3 973 37 — — 983 3 — 3 — 
9644 31 — ll — 974 3 — 3 — 984 13 3 43 3 
9655 3 7 3 13 975 7 3 11 3 985 — 59 — — 
966 — 3 7 3 976 43 13 — — 986 3 7 3 71 
967 19 17 — — 977 3 29 3 987 — 3 7 3 
968 3 23 3 — 978 — 3 — 3 988 41 — — ll 
969 11 3 — 3 979 — 7 97 41 989 3 13 3 19 


Table E.1 (continued) 
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n o(n) t(n) a(n) | b(n) t(n) a(n) | 
1 1 1 1 32 4 
2 1 2 3 24 6 
3 2 2 4 52 2 
4 2 3 7 18 8 
5 4 2 6 40 4 
6 2 4 12 24 8 
7 6 2 8 36 4 
8 4 4 15 28 4 
9 6 3 13 58 2 
10 4 4 18 16 12 
11 10 2 12 60 2 
12 4 6 28 30 4 
13 12 2 14 36 6 
14 6 4 24 32 7 
15 8 4 24 48 4 
16 8 5 31 20 8 
17 16 2 18 66 2 
18 6 6 39 32 6 
19 18 2 20 44 4 
20 8 6 42 24 8 
21 12 4 32 70 2 
22 10 4 36 24 12 
23 22 2 24 72 2 
24 8 8 60 36 4 
25 20 3 31 40 6 
26 12 4 42 36 6 
27 18 4 40 60 4 
28 12 6 56 2A 8 
29 28 2 30 78 2 
30 8 8 72 32 10 
31 30 2 32 54 5 
32 16 6 63 40 4 
33 20 4 48 82 2 
34 16 4 54 24 12 
35 24 4 48 64 4 
36 12 9 91 42 4 
37 36 2 38 56 4 
38 18 4 60 40 8 
39 24 4 56 88 2 
40 16 8 90 24 12 
41 40 2 42 72 4 
42 12 8 96 44 6 
43 42 2 44 60 4 
44 20 6 84 46 4 
45 24 6 78 72 4 
46 22 6 72 32 12 
47 46 2 48 96 2 
48 16 10 124 42 6 
49 42 3 57 60 6 
50 20 6 93 40 9 


Table E.2 Values of some arithmetic functions. 
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15 


439 


443 


449 


13 


457 
461 
463 
467 


13 


479 


487 
491 


499 
503 
509 
521 
523 
541 
547 
557 
563 
569 
571 


577 
587 
593 


599 
601 


607 
613 


617 
619 
631 
641 
643 


11 


647 
653 


659 
601 
673 


19 


191 
193 
197 
199 
211 
223 
227 
229 
233 


239 
241 
251 


257 
263 


269 
271 


277 
281 
283 
293 


307 
311 


17 
10 


313 


317 
331 


10 


337 
347 


349 
353 


359 
367 
373 


379 
383 


389 
397 
401 


21 


409 
419 
421 
431 


433 


11 


13 
17 
19 
23 


29 
31 


37 
41 


43 


47 


53 


59 
61 


67 


71 


73 


79 
83 


89 
97 
101 
103 


107 


109 


113 


127 
131 


137 


139 


149 
151 


157 


163 


167 
173 


179 
181 


Table E.3 Primitive roots modulo primes. 


636 Tables 


Numbers 

Dp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 #15 ~=« 16 

3 2 1 

5 4 1 3 2 Indices 

7 6 2 1 4 5 3 
11 10 1 8 2 4 9 7 3 6 5 
13 12 1 4 2 9 5 11 3 8 10 7 6 
17 16 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8 
19 18 1 13 2 16 14 6 3 8 17 12 15 5 7 ill 4 
23 22 2 16 4 1 18 19 6 10 3 9 20 14 21 17 8 
29 28 1 5 2 22 6 12 3 10 23 25 7 #18 13 = 27 4 
31 30 24 1 18 20 25 28 12 2 14 23 #19 #11 #22 «21 0 
37 36 1 26 2 23 27 32 3 16 24 30 28 11 33 += «13 4 
41 40 26 15 12 22 1 39 38 30 8 3 27 31 25 37 =24 
43 42 27 1 12 25 28 35 39 2 10 30 13 32 20 26 24 
47 46 18 20 36 1 38 32 8 40 19 7 10 «11 4 21 26 
53 52 1 17 2 47 #18 = «14 3 34 48 6 19 24 15 12 4 
59 58 1 50 2 6 51 18 3. 42 7 25 52 45 #19 56 4 
61 60 1 6 2 22 7 49 3 12 23 #15 8 40 50 28 4 
67 66 1 39 2 15 40 23 3 12 16 59 41 19 24 54 4 
71 70 6 26 12 28 32 1 18 52 34 31 38 39 7 54 24 
73 72 8 6 16 1 14 33 24 12 9 55 22 59 41 7 32 
79 78 4 1 8 62 5 53 12 2 66 68 9 34 57 6 16 
83 82 1 72 2 27 73 8 3 62 28 24 74 77 9 17 4 
89 88 16 1 32 70 17 81 48 2 86 84 33 23 9 71 64 
97 96 34 70 68 1 8 31 6 44 35 86 42 25 65 71 40 


24 25 26 


Table E.4 Indices. 
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Numbers 
7) 34 35 36 37 38 39 #40 41 42 #43 #44 «45 «#46 «#+47—+«+48~=«49 
37 8 19 18 
41 19 21 2 32 35 6 20 Indices 
43 23 18 «14 7 4 33 22 6 21 
47 34 33 30 42 #17 «321 9 15 24 13 43 41 23 
53 11 9 36 30 38 41 50 45 32 22 8 29 40 44 21 23 
59 41 24 44 55 39 37 9 14 11 33 27 48 16 #23 54 36 
61 48 11 14 39 27 46 25 54 56 43 17 34 58 20 10 = 38 
67 65 38 14 22 11 58 18 «53 += 63 9 61 27 29 50 43 46 
71 55 29 64 20 22 65 46 25 33 48 43 10 21 9 50 2 
78 29 34 28 64 70 65 25 4 47 51 71 13 54 %31 #38 «66 
79 25 37 10 19 36 35 74 75 58 49 76 64 30 59 17+ 28 
83 57 35 64 20 48 67 30 40 81 71 26 7 61 23 76 16 
89 22 63 34 #11 #51 24 #30 21 10 29 #28 #72 «#73 «54 #65 «+74 
97 27 32 16 91 19 95 7 85 39 4 58 45 15 84 14 62 
Numbers 
Dp 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 
53 43 27 26 
59 13. 32 47 22 35 31 21 #30 29 Indices 
61 45 53 42 33 19 37 52 32 36 31 # £30 
67 31 37 21 57 52 8 26 49 45 36 56 7 48 35 6 34 
71 62 5 51 23 14 59 19 42 4 3 66 69 17 53 36 67 
73 10 27 3 53 26 56 S57 68 43 5 23 58 19 45 48 60 
79 50 22 42 77 7 52 65 33 15 31 71 45 #60 55 24 #18 
83 55 46 79 59 53 51 11 #37 13 34 #19 66 39 70 6 22 
89 68 7 55 78 19 66 41 36 75 43 15 69 47° 83 8 5 
97 36 63 93 #10 52 87 #37 «55 «6©4706«€©6706 64306 «66406 6800675—C12~—C—ti26 
Numbers 
p 66 67 68 69 70 71 72 #73 #74 #275 #76 #77 #=+%7 79 80 81 
67 33 
71 63 47 61 41 = «35 Indices 
78 69 50 37 52 42 44 36 
79 73 48 29 27 41 #51 14 #+444 #+23 «#47 «440 «+43 ~=~«39 
83 15 45 58 50 36 33 65 69 21 44 49 32 68 43 31 42 
89 13 56 38 58 79 62 50 20 27 53 67 #=77 #40 42 46 4 
97 94 57 61 S51 66 11 50 28 29 72 53 21 33 #30 41 ~= 88 
Numbers 
Pp 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 
83 41 
89 37 61 26 76 45 60 44 Indices 
97 23 17 #73 #90 38 83 92 54 79 56 49 20 22 82 48 


Table E.4 (continued) 
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Indices 

Dp 1 2 3 4 5 6 oi 8 9 10 11 12 13 14 #15 += 16 

3 2 1 

5 2 4 3 1 

7 3 2 6 4 5 1 Numbers 
11 2 4 8 5 10 9 y 3 6 1 
13 2 4 8 3 6 12 11 9 5 10 7 1 
17 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1 
19 2 4 8 16 13 7 14 9 18 17 #15 11 3 6 12 5 
23 5 2 10 4 20 8 17 16 11 9 22 18 21 13 = «19 3 
29 2 4 8 16 3 6 12 24 19 9 18 7 14 28 27 = «25 
31 3 9 27 19 26 16 17 20 29 25 = 13 8 24 10 30 28 
37 2 4 8 16 32 27 17 34 31 25 13 #26 15 30 23 9 
41 6 36 11 25 27 #39 #29 #10 #19 32 = 28 4 24 21 3 18 
43 3 9 27 38 28 41 37 #25 32 #10 30 4 12 36 22 23 
47 5 25 31 14 23 21 11 8 40 12 13 18 43 27 41 #17 
53 2 4 8 16 32 11 22 44 #35 17 34 #15 30 7 14 ~= 28 
59 2 4 8 16 32 5 10 20 40 21 42 25 50 41 23 £46 
61 2 4 8 16 32 3 6 12 24 48 35 9 18 36 11 22 
67 2 4 8 16 32 64 61 55 43 19 38 9 18 36 5 10 
71 7 49 59 58 51 2 14 27 47 «+45 = 31 4 28 54 23 19 
73 5 25 52 41 59 3. 15 2 10 50 31 9 45 6 30 4 
719 3 9 27 2 6 18 54 4 12 36 29 8 24 72 58 16 
83 2 4 8 16 32 64 45 7 14 28 56 29 58 33 66 49 
89 3 9 27 81 65 17 S51 64 #14 42 37 #22 66 20 += «60 2 
97 2 25 28 43 #2i1 8 40 6 30 53 71 64 29 48 46 36 


Indices 
Dp 17 18 19 20 21 22 23 24 #25 26 27 28 29 30 31 32 = «33 
19 10 1 
23 15 6 7 #12 = «14 1 Numbers 


Table E.4 (continued) 
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p 34 35 36 37 38 39 43 44 45 46 47 48 49 
37 28 19 1 

41 20 38 23 15 8 7 Numbers 

43 31 7 21 20 «17 8 

47 34 29 4 20 6 30 44 32 19 1 

53 9 18 36 19 38 = 23 50 47 41 29 5 10 20 
59 27 54 49 39 19 38 18 36 13 26 52 45 31 
61 45 29 58 55 49 37 43 25 50 39 17 34 7 
67 65 63 59 S51 35 3 48 29 58 49 31 62 57 
71 10 70 64 22 12 13 44 24 26 40 67 43 17 
73 35 29 72 68 48 21 58 71 63 23 42 64 28 
79 13 39 38 35 26 78 77 #73 61 #25 #75 #67 += 43 
83 59 35 70 57 31 62 79 75 67 51 19 38 76 
89 36 19 57 82 68 26 59 88 86 80 62 8 24 
97 2 10 50 56 86 42 60 9 45 31 58 96 92 
Dp 50 51 52 53 54 #55 59 60 61 62 63 64 65 
53 40 27 1 

59 3 6 12 24 48 37 Numbers 

61 14 28 56 S51 41 21 31 1 

67 47 27 54 41 15 30 11 22 44 21 42 #17 += «+34 
71 48 52 9 6 15 34 55 30 68 50 66 36 39 
73 67 43 69 53 46 11 13 65 33 19 22 37 39 
79 50 71 55 7 21 63 47 62 28 5 15 45 56 
83 69 55 27 54 25 50 53 23 46 9 18 36 72 
89 72 #38 25 75 47 52 29 87 83 71 35 16 48 
97 72 69 54 76 89 57 26 33 68 49 51 61 «14 
7) 66 67 68 69 70 71 75 76 77 78 79 80 81 
67 1 

71 60 65 29 61 1 

73 49 26 57 66 38 44 

79 10 30 11 33 20 «60 41 44 53 1 

83 61 39 78 73 63 = 43 24 48 #13 26 52 21 42 
89 55 76 50 61 5 15 58 85 77 53 70 32 7 
97 70 59 4 20 3 15 63 24 23 18 90 62 19 
Dp 82 83 84 85 86 87 91 92 93 94 95 96 

83 1 Numbers 

89 21 63 %4I11 33 10 = 30 

97 95 87 47 41 11 #55 37 88 52 66 39 1 


Table E.4 (continued) 
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| d Jd d Jd 
2 [132] 53 [7;3, 1, 1, 3, 14] 
3 [15 1, 2] 54  [7;2, 1, 6, 2, 14] 
5 [234] 55. -'[7}.2;:252, 14] 
6 [2;2, 4] 56 [7;2, 14] 
7 [2;1,1, 1,4] 57 [7;1, 1,4, 1, 1, 14] 
8  [2;1, 4] 58 [7;1, 1, 1, 1, 1, 1, 14] 
10 [336] 59 [7;1, 2, 7, 2, 1, 14] 
11 [3; 3, 6] 60 [7;1, 2, 1 14] 
12 [3;2, 6] 61  [7;1, 4, 3, 1, 2, 2, 1, 3,4, 1, 14] 
13° [3;1, 1, 1, 1, 6] 62 [7;1,6, 1, 14] 
14 [3; 1, 2, 1, 6] 63 [7;1, 14] 
15 [3;1, 6] 65 [8; 16] 
17. [458] 66 [8; 8, 16] 
18 [4;4, 8] 67 [8;5, 2, 1, 1, 7, 1, 1, 2, 5, 16] 
19 [4;2, 1, 3, 1, 2,8] 68 [8;4, 16] 
20 [4;2, 8] 69 [8;3, 3, 1, 4, 1, 3, 3, 16] 
21 (4; 1, 1, 2, 1, 1, 8] 70  [8;2, 1, 2, 1, 2, 16] 
22 = [4;1, 2, 4, 2, 1, 8] 71 [8;2, 2, 1, 7, 1, 2, 2, 16] 
23 [4;1, 3, 1, 8] 72 ~ [8;2, 16] 
2A (431, 8] 73 =[8;1, 1,5, 5, 1, 1, 16] 
26 [5;10] 74 = [8;1, 1, 1, 1, 16] 
27 [5;5, 10] 75 [831 1, 1, 16] 
28 [5;3, 2, 3, 10] 76 = [8;1, 2, 1, 1,5, 4, 5, 1, 1, 2, 1, 16] 
29  [5;2, 1, 1, 2, 10] 77 (831, 3, 2, 3, 1, 16] 
30 [5;2, 10] 78 = [8;1, 4, 1, 16] 
31 [5;1, 1, 3, 5, 3, 1, 1, 10] 79 [8;1, 7, 1, 16] 
32 [5;1, 1, 1, 10] 80 [8;1, 16] 
33 5; 1, 2, 1, 10] 82 9; 18] 
34 (5; 1, 4, 1, 10] 83 [9;9, 18] 
35 [5;5, 10] 84 [9;6, 18] 
37 (6; 12] 85 (934, 1, 1 4, 18] 
38 6; 6, 12] 86 [9;3,1, 1, 1,8, 1 1 1, 3, 18] 
39 [6;4, 12] 87 [9; 3, 18] 
40  [6;3, 12] 88 [9;2, 1, 1, 1, 2, 18] 
41 6; 2, 2, 12] 89 [9; 2, 3, 3, 2, 18] 
42  [6;2, 12] 90 [9;2, 18] 
43 [6;1, 1, 3, 1,5, 1, 3, 1, 1, 12] 91 [9;1, 1,5, 1, 5, 1, 1, 18] 
44 [6;1, 1, 1, 2, 1, 1, 1, 12] 92 [9;1, 1, 2, 4, 2, 1, I, 18] 
45 [6;1, 2, 2, 2, 1, 12] 93 [9;1, 1, 1, 4, 6, 4, 1, 1, 1, 18] 
46 [6;1, 3, 1, 1, 2, 6, 2, 1, 1, 3, 1, 12] 94 [9;1, 2, 3, 1, 1,5, 1, 8, 1, 5, 1, 1, 3, 2, 1, 18] 
47 [6;1, 5, 1, 12] 95 [9;1, 2, 1, 18] 
48  [6;1, 12] 96 [9;1, 3, 1, 18] 
50 [7314] 97 [9;1, 5, 1, 1, 1, 1, 1, 1, 5, 1, 18] 
51 [7;7, 14] 98 [9;1, 8, 1, 18] 
52 [7;4, 1, 2, 1, 4, 14] 99 9; 1, 18] 


Table E.5 Simple continued fractions for square roots of positive integers. 


Answers to Odd-Numbered 
Exercises 


Section 1.1 


FE 


a. well-ordered bb. well-ordered c.not well-ordered d.well-ordered e. not well-ordered 


. Suppose that x and y are rational numbers. Then x = a/b and y = c/d, where a, b, c, and d 
are integers with b # 0 and d £0. Then xy = (a/b) - (c/d) =ac/bd andx + y=a/b+c/d= 
(ad + bc)/bd where bd # 0. Because both x + y and xy are ratios of integers, they are both 
rational. 


. Suppose that /3 were rational. Then there would exist positive integers a and b with 
/3 =a/b. Consequently, the set S = {k./3|k and k+/3 are positive integers} is nonempty 
because a = b./3. Therefore, by the well-ordering property, S has a smallest element, say, 
5s =tJ/3. We have sV3 — 5 = 5/3 — t/3 = (s — t)V/3. Because 5/3 = 3t and s are both 
integers, sJ3-—s= (s — tHV/3 must also be an integer. Furthermore, it is positive, because 
sJ3—-s= 5(V3 -) and 3 > 1. Itis less than s because s = t/3, s/3 = 3t, and 3 < 3. This 
contradicts the choice of s as the smallest positive integer in S. It follows that /3 is irrational. 


7.2.0 b-1 «3 d.—2 e0 £.-4 
9. a. {8/5}=3/5 b.{1/7}=1/7 ©. {-11/4}=1/4 d. {7} =0 


11. 
13. 


15. 


17. 


19. 


21. 
23. 
25. 
27. 


0 if x is an integer; —1 otherwise 


We have [x] < x and [y] < y. Adding these two inequalities gives [x]+ [y] < x + y. Hence, 
[x + y] > [[x]+ [yl] =[x]+4+ [yl]. 

Let x =a+r and y=b+5, where a and D are integers and r and s are real numbers such 
that 0 <r, s < 1. Then [xy]= [ab+ as + br + sr]=ab + [as + br + sr], whereas [x _y] = ab. 
Thus we have [xy] > [x]ly] when x and y are both positive. If x and y are both negative, then 
[xy] < [x]Ly]. If one of x and y is positive and the other negative, then the inequality could go 
either direction. 

Let x = [x]+ r. Because 0 <r <1,x+ ; =[x]4+rt+ 3. Ifr < 3; then [x] is the integer nearest 
to x and [x + 3]= [x] because [x] < x +5=[x]+r + ; <[x]+1Ifr> 1 then [x]+ lis 
the integer nearest to x (choosing this integer if x is midway between [x] and [x + 1]) and 
[x + 3]=[x]+ 1 because [x] + 1<x+r+ 3 < [x]+2. 

Let x =k + € where k is an integer and 0 < € < 1. Further, let k = a” + b, where a is the largest 
integer such that a2 < k. Thena? <k =a? +b<x=a"*+b+e <(a+1)*. Then [./x] = a and 
[./T«]] = [Vk] = a also, proving the theorem. 

a&—S5 b.2"+3 c.[[Vnl/J/n] d.a,=a,_;+ a,_2, forn > 3, and a; = 1, and a, =3 
a, = 2"—|; a, = (n? — n+ 2)/2; and a, = a,_) + 2a,-p, forn > 3 

This set is exactly the sequence a, =n — 100, and hence is countable. 


The function f(a + b./2) = 223° is a one-to-one map of this set into the rational numbers, which 
is countable. 


641 


642 


29. 


31. 
33. 


35. 


37. 


39. 


41. 


43. 


45. 


Answers to Odd-Numbered Exercises 


Suppose {A;} is a countable collection of countable sets. Then each A; can be represented by a 
sequence, as follows: 


Ay = 4 42 443 
Az = 4 4 43 
Az = 43, 432 433 
Consider the listing a11, a,2, @21, 413, 422, 231, ..., in which we first list the elements with 


subscripts adding to 2, then the elements with subscripts adding to 3, and so on. Further, we order 

the elements with subscripts adding to k in order of the first subscript. Form a new sequence c; as 

follows. Let cj = a;. Given that c, is determined, let c,,,, be the next element in the listing that is 

different from each c; with i = 1, 2,..., 7. It follows that the terms of this sequence are exactly 
[o.@) 


the elements of U A;, which is therefore countable. 

i=l 
aa=4,b=7 ba=7,b=10 caa=7,b=69 d.a=1,b=20 
The number a must lie in some interval of the form r/k <a@ < (r + 1)/k. If we divide this 
interval into equal halves, then a must lie in one of the halves, so either r/k <a < (2r + 1)/2k 
or (27 + 1)/2k <a < (r+ 1)/k. In the first case, we have |a — r/k| < 1/2k, so we take u = r. In 
the second case, we have |a — (r + 1)/k| < 1/2k, so we take u =r + 1. 


First, we have |/2 — 1/1| =0.414... < 1/1*. Second, Exercise 30, part a, gives us |/2 — 7/5| < 
1/50 < 1/5. Third, observing that 3/7 = 0.428 . . . leads us to try |./2 — 10/7| =0.014...< 
1/7? = 0.0204... . Fourth, observing that 5/12 = 0.4166... leads us to try |./2 — 17/12| = 
0.00245... < 1/127 = 0.00694... 


We may assume that b and q are positive. Note that if q > b, we have |p/q — a/b| = 

| pb — aq|/qb > 1/qb > 1/q?. Therefore, solutions to the inequality must have 1 < q < b. Fora 
given q, there can be only finitely many p such that the distance between the rational numbers 
a/b and p/q is less than 1/q” (indeed there is at most one.) Therefore, there are only finitely 

many p/q satisfying the inequality. 

a. 3, 6, 9, 12, 15, 18, 21, 24, 27,30 —b. 1, 3, 5, 6, 8, 10, 12, 13, 15,17 ¢.2,4,7, 9, 11, 14, 16, 
18, 21,23 d.3,6,9, 12, 15, 18, 21, 25, 28, 31 


Assume that 1/a + 1/8 = 1. First, show that the sequences ma and n@ are disjoint. Then, for an 
integer k, define N (Kk) to be the number of elements of the sequences ma and nf that are less than k. 
Then N (k) = [k/a] + [k/B]. By definition of the greatest integer function, k/a — 1 < [k/a]<k/a 
and k/B — 1< [k/B]<k/fB. Add these inequalities to deduce that k — 2 < N(k) < k. Hence 
N(k) =k — 1, and the conclusion follows. To prove the converse, note that if 1/a + 1/8 # 1, then 
the spectrum sequence can not partition the positive integers. 


Assume that there are only finitely many Ulam numbers. Let the two largest Ulam numbers be 
u,—, and u,,. Then the integer u, + u,_, is an Ulam number larger than u,,. It is the unique sum 
of two Ulam numbers because u; + uj <u, +u,_1if j <norj =nandi <n—1. 


To get a contradiction, suppose that the set of real numbers is countable. Then the subset of real 
numbers strictly between 0 and 1 is also countable. Then there is a one-to-one correspondence 
f :Z* > (0, 1). Each real number b € (0, 1) has a decimal representation of the form 

b = 0.b,b2b3 ...., where b; is the ith digit after the decimal point. For each k = 1, 2, 3,..., 
let f (k) = a, € (0, 1). Then each a; has a decimal representation of the form a, = a,10;,20;3.... 
Form the real number c = cc c3 .. . as follows: If a,, = 5, then let c, = 4. If a,, #5, then let 
c, = 5. Then c 4 a, for every k because it differs in the kth decimal place. Therefore f (k) #c 
for all k, and so f is not a one-to-one correspondence. 
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Section 1.2 


11. 


13. 


15. 


17. 


19, 


21. 


23. 


25. 


27. 


-a55 b.—15_ ¢. 29/20 
. a510 b. 24,600 ce. —255/256 
. The sum evel counts 1 for every value of k with /k > 1. There are n such values of 


k in the range k = 1, 2, 3,...,m. It counts another 1 for every value of k with he =: 
There are n — 3 such values in the range. The sum counts another 1 for each value of k with 
Vk > 3. There are n — 8 such values in the range. In general, for m = 1, 2, a wee Ln] 
the sum counts a 1 for each value of k with /k > m, and there are n — (m? — 1) ou 
in the range. Therefore, EL 3| = ye In — (m2 — 1) =[Vn](n + I - pee | m? 

[Jnl + 1) — (Yn) Vn] + D2, Vn] + 1))/6. 


. The total number of dots in the n by n + 1 rectangle, namely, n(n + 1), is 2t, because the rectangle 


is made from two triangular arrays. Dividing both sides by 2 gives the desired formula. 


. From the closed formula for nth triangular number, we have i? a —2=(n+Dat+ 


n 
1+ 1)/2)? — @(a + 1)/2)? = (a + 1)?((m + 2)7/4 — 07/4) = (0 + 19? + 4n + 4-07) /4 = 
(n+ 1)7(4n +4)/4=(n+ ne as desired. 
From Exercise 10, we have p, = (3n? — n)/2. On the other hand, t,__; + n?=(n— 1)n/2 + n= 
(3n2 — n) /2, which is the same as above. 
a. Consider a regular heptagon that we border successively by heptagons with 3, 4,5, ... on 
each side. Define the heptagonal numbers s; to be the number of dots contained in the k nested 
heptagons. _b. (5k? — 3k) /2 
From Exercise 10, we have p, = (3n? — n)/2. Also, t3,-7/3 = (1/3) n — 1)(3n)/2 = (3n — 
1)(n)/2 = (3n? — n)/2 = py. 
By Exercise 16, we have 7,, = et t= para k(k + 1)/2. Note that (kK + 1)3 — k3 = 3k? + 3k + 
1 = 3(k? +k) + 10 that k? +k = ((k + 13 — k3)/3 — (1/3). Then T,, = (1/2) 7_, AK +1) = 
(1/6) p(k + 1)3 — k3) — (1/6) > i<1 |. The first sum is telescoping and the second sum is 
trivial, so we have T,, = (1/6)((n + 1)3 — 13) — (n/6) = (n3 +. 3n? + 2n)/6. 
Each of these four quantities are products of 100 integers. The largest product is 100!°°, because 
it is the product of 100 factors of 100. The second largest is 100!, which is the product of the 
integers 1, 2, ..., 100, and each of these terms is less or equal to 100. The third largest is (50!)2, 
which is the product of 12, 27, ..., 50%, and each of these factors 7’ is less than j (50 + j), whose 
product is 100!. The smallest is 2100 which is the product of 100 twos. 


pas (xan) = eel (}- th) Let a; = 1/(j + 1). Notice that this is a telescop- 

ing sum, as in Example 1.19. Therefore, we have ae (zat) = vi=14j-1 —aj)= 
ag — a, =1-1W(n+)=n/a@+). 

We sum both sides of the identity (kK + 1)3 — k3 = 3k? + 3k + 1 fromk = 1tok=n. Vek + 
1)3 — k3) = (n + 1)3 — 1, because the sum is telescoping. Ge + 3k+1)=3Q7%_1 k?) + 
30 a1 HD) + 4 1=3() Kk?) + 3n(n + 1)/2 +n. As these two expressions are equal, 
solving for );_ ies we find that )°;_ iS (n(2n + 1)(n + 1))/6. 

a. 10!= (7!)(8-9 - 10) = (7!)(720) = (7!) (6!). ~—b. 10! = (7) (6) = (71) (5) -6 = TNSVGBY). 
c. 16!= (14! (15- 16) = (14!) (240) = 14) (592). d. 9!= (7/)(8- 9) = (7/I (6-6-2) = 
MBB) 


x=y=landz=2 
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Section 1.3 

1. For n = 1, we have 1 < 2! = 2. Now assume n < 2”. Thenn+1<2"4+1<2"+2" = "+1, 

3. For the basis step, y 4 iu =1<2- + = 1. For the inductive step, we assume that )’7_, r < 
2-2. Then iti ge =Diigt aD? <2-+4+ wD? by the induction hypothesis. This 
: 1 ieee 1 1 1 ‘ 
is less than 2 — oat wD? =2- iv ma) 2 at as desired. 


lon 
n_ 
5.A"™=| 9 1 


loa 1 1 1 ntl 
n+1 n Ms 
nae =a"a= (4 ae: wee 1 ) 


7. For the basis step, we have 24 j?=1=10+1)(2-1+1)/6. For the inductive step, 
we assume that 1" _, j? =n(n+ 1)(2n + 1)/6. Then py P=_,P?+a+D*= 


. The basis step is wivial. For the inductive step, assume that A” = ( ; i ) ; 


j=l 
n(n + 1)(2n + 1)/64+ (n+ 1)? = (n+ 1) (n(2n4+ 1)/6+n+4 1) = (n+ 1)(2n? +7n4+ 6)/6= 
(n + 1)(n + 2)[2(n + 1) + 1]/6. 


9. For the basis step, we have et iJG+1)=2= 1(2)(3)/3. Assume it is true for n. Then 


pai IG+VY)=na+)a4+2)/34+ 4+ YNat+27=a+)a4+2)0/34+)=a+)a+ 
2)(n + 3)/3. 
11. gn(n+1)/2 


13. For the basis step, we note that 12 = 4 - 3. For the inductive step, assume that postage of n 
cents can be formed, with n = 4a + Sb, where a and b are nonnegative integers. To form 
n+ 1 cents postage, if a > 0 we can replace a 4-cent stamp with a S-cent stamp; that is, 
n+1=4(a—1)+5(6 + 1). If no 4-cent stamps are present, then all S-cent stamps were used. It 
follows that there must be at least three S-cent stamps and these can be replaced by four 4-cent 
stamps; that is,n + 1=4(a+ 4) + 5(b — 3). 


15. We use mathematical induction. The inequality is true for n = 0 because Hp = H,;=1>1= 
1+ 0/2. Now assume that the inequality is true for n, that is, Hy, > 1+ n/2. Then Hoa+i = 


gnt+l 


n n+1 
ae Wit Sos Wj > Han + Yj W241 > 140/242". 1/2" = 14-n/241/2= 
1+ (n+1)/2. 


17. For the basis step, we have (2 - 1)!= 2 < 27"!(1!)? = 4. For the inductive step, we assume 
that (2n)! < 22"(n!)2. Then [2(n + 1)]!= (2n)X2n + 1)(2n +2) < 22"(n!)2(2n + 1)(2n +2) < 
2?" (n!)2(2n + 2)? = 22+ Di(n + 117. 


19. Let A be such a set. Define B as B= {x —k+1|x eA and x >k}. Becausex>k, Bisa 
set of positive integers. Because k € A andk >k,k —k+1=1isin B. Becausen+ 1lisin A 
whenever n is,n + 1—k + 1is in B whenever n — k + 1 is. Thus, B satisfies the hypothesis for 
mathematical induction, i.e., B is the set of positive integers. Mapping B back to A in the natural 
manner, we find that A contains the set of integers greater than or equal to k. 


21. For the basis step, we have 42 = 16 < 24=4!. For the inductive step, we assume that n2 <nl. 
Then (n + 1)? =n?2+2n+1<n!+2n+1<n!4+3n <n!+n!=2n!<(n+)Dn!=(n4+ DI. 


23. We use the second principle of mathematical induction. For the basis step, if the puzzle has only 
one piece, then it is assembled with exactly 0 moves. For the induction step, assume that all puzzles 
with k < n pieces require k — 1 moves to assemble. Suppose it takes m moves to assemble a puzzle 
with n + 1 pieces. Then the m move consists of joining two blocks of size a and b, respectively, 
with a + b =n + 1. But by the induction hypothesis, it requires exactly a — 1 and b — 1 moves to 
assemble each of these blocks. Thus, m = (@—-1)+ (6-1) +1=a+b+1l1=n+1. 


25. 


27. 
29. 


31. 


33. 


35. 
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Suppose that f(n) is defined recursively by specifying the value of f (1) and a rule for finding 

f(n + 1) from f (n). We will prove by mathematical induction that such a function is well-defined. 
First, note that f (1) is well-defined because this value is explicitly stated. Now assume that f(n) 
is well-defined. Then f(n + 1) also is well-defined because a rule is given for determining this 

value from f (n). 


65,536 


We use the second principle of mathematical induction. The basis step consists of verifying the 
formula for n = 1 and n = 2. For n = 1, we have f (1) = 1= 2! + (—1)!, and forn =2, we have 
f (2) =5=22 + (—1)*. Now assume that f (k) = 2* + (—1)* for all positive integers k with 

k <n where n > 2. By the induction hypothesis, it follows that f(n) = f(n —-1)+2f(m —2)= 
(27-1 (=) + 20"? + (— 12) = (21 + 2") + (-1)"-2(-1 4 2) = 2" + (= 0)". 
We use the second principle of mathematical induction. We see that aj) = 1 < 32 =1a 1=3< z= 
3, anda,=9< 32 = 9. These are the basis cases. Now assume that ar< 3* for all integers k with 
0 <k <n. It follows that a, =@,_1+@n_2 + Q,_3 < 37 14+ 7 4 33 = 3" 314-349) = 
13 -3"-3 < 27.37 3=3", 

Let P,, be the statement for n. Then P, is true, because we have ((a; + a2) (237 = ajaz = 
((a, — az)/2)* > 0. Assume P,, is true. Then by P>, for 2n positive real numbers aj, ..., 22, We 
have a, + +--+ @y, > 2(,/aja2 + 344 + +--+ ./n—14,). Apply P,, to this last expression to 
geta; +--+ + ay, > 2n(ajap -- + a2,)'/", whichestablishes P, forn = 2* for all k. Again, assume 
P,, is true. Let g = (aja) ---a,_;)/“—. Applying P,, we have a; + a, +---+a,_;+8> 
(aap « - - Qn_1g)'/" = n(g"—1g)¥" = ng. Therefore, a; + a, +--+ +a,_; > (n— 1)g, which 
establishes P,,_;. Thus Pps is true and P, implies P,_;. This establishes P,, for all n. 

Note that because 0 < p < q we have 0 < p/q < 1. The proposition is trivially true if p = 1. We 
proceed by strong induction on p. Let p and q be given and assume the proposition is true for all 
rational numbers between 0 and 1 with numerators less than p. To apply the algorithm, we find 
the unit fraction 1/s such that 1/(s — 1) > p/q > 1/s. When we subtract, the remaining fraction is 
P/q — 1/s = (ps — q)/qs. On the other hand, if we multiply the first inequality by q(s — 1), we 
have q > p(s — 1), which leads to p > ps — q, which shows that the numerator of p/q is strictly 
greater than the numerator of the remainder (ps — q)/qs after one step of the algorithm. By the 
induction hypothesis, this remainder is expressible as a sum of unit fractions, 1/u; + - +--+ 1/u,. 
Therefore, p/q = 1/s + 1/u;+---+ 1/u,, which completes the induction step. 


Section 1.4 


1. 
3. 
5. 


a.55 b.233 ¢.610 d.2584 e.6765  f.75025 


Note that 2 fri2— fn = fnto t+ nia — fn) = fata t+ fnti = fn43- Add f, to both sides. 
For n = 1, we have f>.; =1= P+2-1-0= fP +2fohi, and for n = 2, we have f>..2 =3 = 
P4+2-141= Ee + 2; f2. So the basis step holds for strong induction. Assume, then, that f>,,_4 = 
f? 4 +2fn-3fa—2 and fon_2 = f? 1 +2fn-2fy—1. Now compute fon = fon_1+ fon—2= 

2 fon—2 + fon—3 = 3fon—2 — fon—4. We may now substitute in our induction hypotheses to set this 
last expression equal to cf ee 1 6 fn—-2fn-1 = 3 = 2 fn-3fn—2 = i ar 6(fn ~~ Sp aa Fr 
(fn ~ ‘eee a 2(fn-1 = fn-2) (Sn = fn—1) = —2f7, 1 6 fn fn—1 _ fp? + 2 inn = fn—1) = 

2 fr—1fa — Fa—1) = f2 +2 fn—1fn» Which completes the induction step. 


2] f2j-1 = fon. The basis step is trivial. Assume that our formula is true for n, and consider 


fit fat fst+-+++ fan-1t fons = fan + fonti = fon42, which is the induction step. 


. First suppose n = 2k is even. Then f, — fy_y +--+ (—D"*"f, = (far + fori t-: +f) - 


2(fox—1 + fox_3 +-+- + fi) = (forge — 1) — 2(fox) by the formulas in Example 1.27 and 
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11. 


13. 


15. 


17. 


19. 


21. 


23. 


25. 


27. 


29. 
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Exercise 7. This last equals (f2442 — fox) — fox — 1= forza — for — 1= fox-1 -— 1 = fr-1- 1 
Now suppose n = 2k + 1 is odd. Then f, — fy-y +--- + (—-D)"™t1 = Foxai — (fox — fox-1 + 
+++ = (-1"1 fF) = foes — (fox_-1 — 1) by the fortis just proved for the even case. This last 
equals (fox41— fox—1) + 1= fox + 1= fn_1 + 1. We can unite the formulas for the odd and even 
cases by writing the formula as f,_; — (—1)”. 


From Exercise 5, we have fon — fe + 2Ffn-1tn a Per + fa-1t+ fn-) = (fat = fn—-VD Sn41 + 
fn-) = he .; Looe 


We use mathematical induction. For the basis step, ye ! f? = he = f\ f2. To make the inductive 


step, we assume that 7" _, f} = fafayi- Then Sen i = V1 f? fp = Safa a= 
Sn+ifn+2: 

From Exercise 13, we have fyiifn — fn—ifn—2 = GF? Se f?) = (Ff? a ei i) = 

#2 + fo. The identity in Exercise 10 shows that this is equal to f,,_, when 7 is a positive 
integer, and in particular when n is greater than 2. 

For fixed m, we proceed by induction on n. The basis step is f,,41= fin fa + fin—1f = fin * 1+ 
fm. 1, which is true. Assume the identity holds for 1, 2,...,k. Then finakz = fin teri t+ Sm—itk 
and finsk—1= Smt + fn—it,-1- Adding these equations gives US fintk + Smtk-1= Sn fe + 
Se) + fn—1 te + f,-1)- Applying the recursive definition yields fin4x+1 = Sin Seta + Smif: 
1 Li = Ln42 — 3. We use mathematical induction. The basis step is L; = 1= L3 — 3. Assume 
that the formula holds for n and compute peas Ly = pe Li + Lng = Ente — 3+ Lagi = 
(Lanza + Lai) — 3 = Lays — 3. 

De) Lai = Lon+1 — 1. We use mathematical induction. The basis step is Ly = 3 = L3— 1. 
Assume that the formula holds for n and compute yBae, Lo = yey Lai + Longe = Lonsi- 
1+ Lon42 = Lon43- 1. 

We proceed by induction. The basis step is figs = 1= LL, — 2. Assume the formula holds for 
n and consider "7! L? = 7", L? + 12, = LL — 2+ 12, = Lng (Ln + Lagi) — 2= 
Lngilns2 - 2. 

For the basis step, we check that L; f; = 1-1=1= f, and L2f, =3-1=3= f4. Assume the 
identity is true for all positive integers up to n. Then we have f+ 1Ln41= (fn4a2— fa) Snt2 - Sn) 
from Exercise 16. This equals fa - i = (fnait fn)? — fait fav? = toa + 2favihat 
ik = {25 = 2 fn—1Sn—2 = cae = Guan = Ls + (f2 = f5) + 2(fn+itn a fn-1fn-2) — 


(fn4i — fr-D(fntit fa—v> + Sn — fn—-2) fa + Sn—2) + 2(fon_1), where the last parenthetical 
expression is obtained from Exercise 8. This equals f,L, + fn_1L,-1+ 2 fon_1. Applying 


the induction hypothesis yields fon + fon—2 + 2fon—1 = (fon + fon—1) + (fon-1 + fon—2) = 
fon+1+ fon = fon42, Which completes the induction. 


We prove this by induction on n. Fix m a positive integer. If n = 2, then for the basis step we 
need to show that Lini2 = fins tlo+ finL1 = 3fm+1+ fm for which we will use induction on 
m. Form = 1 we have L3 =4=3.- f. + fy), and form =2 we have Lj = 7=3:- f3+ fo, so the 
basis step for m holds. Now assume that the basis step for n holds for all values of m less than and 
equal to m. Then Ln43 = Lm42 + Lm41=3fmtit fn + 3fm + fm—1 = 3fm+2 + fm+ir Which 
completes the induction step on m and proves the basis step for n. To prove the induction step on 
n, we compute Lintn41 = Lmin + Lmtn-1= (fn+iln a SinLn—1) BE (fm+ibn—1 + finLn-2) = 
fin¢1(Ln + Ly—1) + fin(Lhn—-1 + Ln-2) = fingt£nei t+ finLn, which completes the induction on 
n and proves the identity. 


50 = 34+ 1343= fot fat fy 85=554+214+841= fio t fet fot fo, 110=89+21= 


31. 


33. 


35. 


37. 


39. 


41. 
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We proceed by mathematical induction. The basis steps (n = 2 and 3) are easily seen to hold. 
For the inductive step, we assume that f, <a@”—! and f,_1 < ,_2- Now frii= fant fr-1 


a"—14 q"-2 — q@", because a satisfies «” = a"! + q"-2, 


We use Theorem 1.3. Note that wa? =a +1 and 6? =f +1, because they are roots of 
x? —x —1=0. Then we have fo, = (a@2" — B2")/./5 = (1/75) (a + 1)" — (B+) = 
(1/75) (3 (ja? — Vio (G) 6) = A/S) Dio (G)@ — B/) = D1 (7) fj, because 
the first term is zero in the second-to-last sum. 

On one hand, det(F”) = det(F)” = (—1)”. On the other hand, 


n n—-1 


det Ga - ) > Teint = i 


fo =0, fd = 1, f-2 =-1, f-3=2, f-4 = -3, f_5 =5, f-6 = -8, fie) = 13, f_s = —21, 
f_-9 = 34, f-10 = —55 

The square has area 64 square units, while the rectangle has area 65 square units. This corresponds 
to the identity in Exercise 14, which tells us that f7 f5 — i = 1. Notice that the slope of the 
hypotenuse of the triangular piece is 3/8, while the slope of the top of the trapezoidal piece is 
2/5. We have 2/5 — 3/8 = 1/40. Thus, the “diagonal” of the rectangle is really a very skinny 
parallelogram of area 1, hidden visually by the fact that the two slopes are nearly equal. 


We solve the equation r2 — r — 1= 0 to discover the roots 7; = (1+ 4/5) /2 and rg=(1- 5) /2. 
Then, according to the theory in the paragraph above, f,, = C\rj + C2r3. For n = 0, we have 0 = 
Cyrp + Cor? = Cy + Cy. Forn = 1, we have 1 = Cyr, + Cor, = C\(1 + V5) /2 + Cy(1 — V5) /2. 
Solving these two equations simultaneously yields C, = 1/./5 and C> = —1/ 4/5. So the explicit 
formula is f, = (1//5)r% — (1/15)r3 = (rt — 73)/V/5. 

We seek to solve the recurrence relation L, = L,_; + L,_, subject to the initial conditions 
L, = 1and L, = 3. We solve the equation r? — r — 1=0 to discover the roots a = (1+ /5)/2 
and B = (1 — /5)/2. Then, according to the theory in the paragraph above Exercise 41, L, = 
Ca" + CyB". For n = 1, we have Lj = 1=C,a + Co. For n = 2, we have 3 = Cya” + Cf”. 
Solving these two equations simultaneously yields C; = 1 and Cz = 1. So the explicit formula is 
L,=a" + B”. 

First check that a? =a + 1 and 8? = 8 + 1. We proceed by induction. The basis steps are 
(1//5)(a@ — B) = (1/V'5)(/5) = 1 = f; and (1/5) (@? — B?) = (1//5)((1+ @) — (1+ )) = 
(1//5)(a — B) = 1= fo. Assume the identity is true for all positive integers up ton. Then tet 
fat fn—1 = A/V5)(@" — B") + (1/V5)(a@"—! — B"-}) = (1/VS)(a" Ma + 1) — BB + 
1)) = (1/5) (a@"—!(@?) — B"-1(B?)) = (1/+/5)(a"+! — p+), which completes the induction. 


Section 1.5 


1 


11. 


ea ww 


3 | 99 because 99 = 3 - 33, 5 | 145 because 145 = 5 - 29, 7 | 343 because 343 = 7 - 49, and 888 | 0 
because 0 = 888 - 0 


a.yes b.yes c.no d.no eno f.no 

ag=S,r=15 bq=17,r=0 aq=-3,r=7 d.q=-6,r=2 

a.land13_ b.1,3,7,and21 oc. 1, 2, 3, 4,6, 9, 12, 18, and36 = d.. 1, 2, 4, 11, 22, and 44 
a. (11, 22) = 11 ~b. (36,42) =6 +¢.(21,22)=1 = d.(16, 64) =16 

Each of 1, 2, 3, ..., 10 is relatively prime to 11. 
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(10, 11), (10, 13), (10, 17), (10, 19), (11, 12), (11, 13),..., (11, 20), (12, 13), (12, 17), 
(12, 19), (13, 14), (13, 15),..., (13, 20), (14, 15), (14, 17), (14, 19), (15, 16), (15, 17), 
(15, 19), (16, 17), (16, 19), (17, 18), (17, 19), (17, 20), (18, 19) and (19, 20) 


By hypothesis, b = ra and d = sc, for some r and s. Thus, bd = rs(ac) and ac | bd. 

If a | b, then b = na and bc = n(ca), i.e., ac | bc. Now suppose ac | bc. Thus, bc = nac and, as 
c4#0,b=na,ie.,a|b. 

By definition, a | b if and only if b= na for some integer n. Then raising both sides of this 
equation to the kth power yields b* = n*a* whence a* | b*. 


Let a and b be odd, and c even. Then ab = (2x + 1)(2y + 1) =4xy + 2x + 2y + 1= 2(2xy + 
x + y)+ 1, soab is odd. On the other hand, for any integer, we have cn = (2z)n = 2(zn), which 
is even. 

By the division algorithm, a = bq + r, withO <r <b. Thus —a = —bq —r=-(q+)b+b-r. 
If 0< b—r <b, then we are done. Otherwise, b — r = b, orr = 0 and —a = —qb+ 0. 

a. The division algorithm covers the case when b is positive. If b is negative, then we may apply 
the division algorithm to a and |b| to get a quotient qg and remainder r such that a = q|b| + r and 
0 <r < |b|. But because b is negative, we have a = q(—b) + r = (—q)b +r, as desired. b.3 
By the division algorithm, let m=qn+r, with O<r<n-—1 and q=[m/n]. Then 

[Gm + 1)/n] =[Qn+r+)/n]=[¢+ (+ D/n]=¢+[(r + D/n], as in Example 1.31. 
If r=0, 1,2,...,n—2, then m £ kn — 1 for any integer k and 1/n < (r + 1)/n < 1 and so 
[(r + 1)/n] = 0. In this case, we have [(m + 1)/n]=q +0= [m/n]. On the other hand, if 
r=n—1, thenm=qn+n-—1=n(q+4+1) —1=nk — 1, and [(r + 1)/n]= 1 In this case, we 
have [(m + 1)/n]=q +1=[m/n]+1. 

The positive integers divisible by the positive integer d are those integers of the form kd where k 
is a positive integer. The number of these that are less than x is the number of positive integers k 
with kd < x, or equivalently with k < x/d . There are [x /d] such integers. 

128; 18 

457 


It costs 44 — [1 — w]17 cents to mail a letter weighing x ounces. It can not cost $1.81; a 13-ounce 
letter costs $2.65. 


Multiplying two integers of this form gives us (4n + 1)(4m + 1) = l6mn + 4m+ 4n4+ 1= 
4(4mn + m +n) + 1. Similarly, (4n + 3)(4m + 3) = l6mn + 12m + 12n + 9 = 4(4mn + 3m + 
3n + 2) + 1. 


Every odd integer may be written in the form 4k + 1 or 4k + 3. Observe that (4k + 1)4 = 162k4 + 
4(4k)? + 6(4k)? + 4(4k) + 1 = 16(16k* + 16k3 + 6k? + k) + 1. Proceeding further, (4k + 3)* = 
(4k)* + 12(4k)3 + 54(4k)? + 108(4k) + 34 = 16(16k4 + 48k3 + 54k? + 27k +5) 4-1. 


Of any consecutive three integers, one is a multiple of three. Also, at least one is even. Therefore, 
the product is a multiple of 2-3 = 6. 


For the basis step, note that 0? + 13 + 23 = 9 is a multiple of 9. Suppose that n? + (n+ 1)3+ (+ 
2)3 = 9k for some integer k. Then (n + 1)? + (1 + 2)3+ (n+ 3)? =n3 4 (nt 134 (n4+-2)3 + 
(n + 3)3 — n3 = 9k + n3 + On? + 27n +27 — n3 = 9k + On? + 27n + 27 = 9(k + n? + 3n + 3), 
which is a multiple of 9. 

We proceed by mathematical induction. The basis step is clear. Assume that only f4,,’s are divisible 
by 3 for f;, i < 4k. Then, as fay, = fay + fag—1, 3| fg, and 3 | f4,41 gives us the contradiction 
3| f4x—1- Thus, 3 ¥ 4,41. Continuing on, if 3| f4, and 3| f4¢42, then 3 | 4,1, which contradicts 
the statement just proved. If 3 | fig, and 3| 4,43, then, because fy, 43 = 2 f4n41+ fax, We again 
have a contradiction. But, as f4p44 = 3f4p41 + 2f4,, and 3| fy, and 3|3- f4,41, we see that 
3| farsa: 


47. 


49. 
51. 


53. 


55. 
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First note that forn >5, Sf,_4+3fn—s = 2fn_—4+ 3(fn_-4t+ fn—s) = 2fn_-4 t+ 3fp_-3 = 
2(fn—4 + fn—3) + fn—3 = 2fn—-2 + fn—3 = fn—2 + fn—2 + fn—3 = fn—2 + fn—-1 = fn» which 
proves the first identity. Now note that f5 = 5 is divisible by 5. Suppose that fs,, is divisible by 5. 
From the identity above, 5,45 = 5 fsn4s5—4 + 3fsn45—5 = Sfsn41 + 3fsn, which is divisible by 5 
because 5 fs,,,1 is a multiple of 5 and, by the induction hypothesis, so is fs,. This completes the 
induction. 


39, 59, 89, 134, 67, 101, 152, 76, 38, 19, 29, 44, 22, 11, 17, 26, 13, 20, 10, 5, 8, 4, 2, 1 


We prove this using the second principle of mathematical induction. Because T (2) = 1, the Collatz 
conjecture is true for n = 2. Now assume that the conjecture holds for all integers less that n. 
By assumption, there is an integer k such that k iterations of the transformation 7, starting at n, 
produces an integer m less than n. By the inductive hypothesis, there is an integer / such that 
iterating T 1 times starting at m produces the integer 1. Hence, iterating T k + / times starting 
with n leads to 1. 


We first show that (2 + /3)" + (2 — /3)” is an even integer. By the binomial theorem, it 
follows that (2+ /3)" + (2— 73)" = "_g (")2V3" 7 + Dt_y ("24 V3" = 
2(2" + (5)3 ~pn-24. (4)3* .2"-4 4...) = 21 where / is an integer. Next, note that (2 — /3)” < 1. 
Because (2 + /3)” is not an integer, we see that [(2 + V3)"] = (2+ V3)" + 2 — V3)" — 1 It 
follows that [(2 + /3)"] is odd. 


We prove existence of q and r by induction on a. First assume that a > 0. Assume existence 
in the division algorithm holds for all nonnegative integers less than a. If a < b, then let g =0 
and r =a, so thata = qb+rand0<r=a <b. If a>b, then a — b is nonnegative and by 
the induction hypothesis, there exist q’ and r’ such that a — b= q’b +r’, withO <r’ < b. Then 
a=(q'+1)b+r’, soweletq = q’ + landr =r’. This establishes the induction step, so existence 
is proved for a > 0. Now suppose a < 0. Then —a > 0, so, from our work above, there exist q’ 
and r’ such that —a = q’b+ r’ and0 <r’ <b. Thena = —q'b —r’. If r’ = 0, we’re done. If not, 
then 0 <b—r’ <banda= (-q’' — 1)b+ b-r’, so letting gq = —q’ — 1 andr =b — r’ satisfies 
the theorem. Uniqueness is proved just as in the text. 


Section 2.1 


13. 


15. 


17. 


- (175);9; (1111100111), 
- (8F5)16; (T4E) 16 


. This is because we are using the blocks of three digits as one “digit,” which has 1000 possible 


values. 


. —39; 26 


. If m is any integer weight less than 2*, then by Theorem 1.10, m has a base two expansion 


m = ay_2k-! + ay_,2k-? 4. -- +.a,2! + ag2®, where each q; is 0 or 1. The 2! weight is used if 
and only if a; = 1. 

Let w be the weight to be measured. By Exercise 10, w has a unique balanced ternary expansion. 
Place the object in pan 1. If e; = 1, then place a weight of Sh into pan 2. If e; = —1, then place a 
weight of 3' in pan 1. If e; = 0, then do not use the weight of 3’. Now the pans will be balanced. 


To convert a number from base r to base r”, take the number in blocks of size n. To go the other 
way, convert each digit of a base r” number to base r, and concatenate the results. 


(ayay_ 1... ag00...00),, where we have placed m zeroes at the end of the base b expansion 
of n 
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31. 
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35. 


37. 


Answers to Odd-Numbered Exercises 


a.—6 b13 c-14 dO 

If m is positive, then a,_;=0 and a, _ a, _3...dg is the binary expansion of m. Hence, 
m= sar a;2! as desired. If m is negative, then the one’s complement expansion for m has 
its leading bit equal to 1. If we view the bit string a,_.a,_3...ag aS a a binary number, then it 
represents (2”—! — 1) — (—m), because finding the one’s complement is equivalent to subwacting 
the binary number from 111 - - - 1. That is, (2"~! — 1) — (—m) = SS a;2'. Solving for m gives 
us the desired identity. 


a.—7 b13 e«-15 d.-l 
Complement each of the digits in the two’s complement representation for m and then add 1. 
4n 


We first show that every positive integer has a Cantor expansion. To find a Cantor expansion 
of the positive integer n, let m be the unique positive integer such that m! <n < (m + 1)!. By 
the division algorithm there is an integer a,, such that n = m!-a,, +7, where 0 <a,, <m and 
0 <r, < m!. We iterate, finding that r,, = (m — 1)!- a,_1 +7—1 where 0 <a,,_ | < m— 1 and 
0 <7n_—1 < (m — 1)!. We iterate m — 2 more times, where we have 7; = (i — 1)!-a;_1 + 7-1 
where 0 < a;_; <i — landO<7;_;< @ —1)!fori=m+1,m,m—1,...,2 withy,4,;=n. 
At the last stage, we have rz = 1!- a, + 0 where 72 = 0 or 1 and r2 = a. Uniqueness is proven as 
in the base-b expansion. 


Call a position good if the number of ones in each column is even, and bad otherwise. Because a 
player can only affect one row, he or she must affect some column sums. Thus, any move from a 
good position produces a bad position. To find a move from a bad position to a good one, construct 
a binary number by putting a 1 in the place of each column with odd sum, and a 0 in the place of 
each column with even sum. Subtracting this number of matches from the largest pile will produce 
a good position. 

a. First show that the result of the operation must yield a multiple of 9. Then it suffices to check 
only multiples of 9 with decreasing digits. There are only 79 of these. If we perform the operation 
on each of these 79 numbers and reorder the digits, we will have one of the following 23 numbers: 
7551, 9954, 5553, 9990, 9981, 8820, 9810, 9620, 8532, 8550, 9720, 9972, 7731, 6543, 8730, 
8640, 8721, 7443, 9963, 7632, 6552, 6642, or 6174. It will suffice to check only 9810, 7551, 
9990, 8550, 9720, 8640, and 7632, because the other numbers will appear in the sequences which 
these 8 numbers generate. b.8 


Consider dg = (3043)¢. We find that 7, repeats with period 6. Therefore, it never goes to a 
Kaprekar’s constant for the base 6. 

Suppose n = a; + a; = a, + a; withi < j andk <1. First, suppose i # j. Thenn =a; + a; = 
2! + 2/ is the binary expansion of n. By Theorem 2.1, this expansion is unique. If k = 1, then 
a, + a; = 2**!, which would be a different binary expansion of n, so k #1. Then we must have 
i =k and j =1 by Theorem 2.1, so the sum is unique. Next, suppose i = j. Then n = 2'*! and so 
a, + a; = 2* + 2! = 2'+1, This forces k = / = i, and again the sum is unique. Therefore, {a;} is a 
Sidon sequence. 


Section 2.2 


1. 
3. 
5. 
7. 


(10010110110), 
(1011101100), 
(10110001101), 

q = (11111), 7 = (1100), 


19, 


21. 


23. 
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» (3314430). 

- (4320023)5 

« (16665) 46 

- (B705736) 16 

. We represent the integer (18235187)j9 using three words—((018)(235)(187))j999—and the 


integer (22135674) 9 using three words—((022)(135)(674)) 1999—-where each base 1000 digit is 
represented by three base 10 digits in parentheses. To find the sum, difference, and product of these 
integers from their base 1000 representations, we carry out the algorithms for such computations 
for base 1000. 


To add numbers using the one’s complement representation, first decide whether the answer 
will be negative or positive. To do this is easy if both numbers have the same lead (sign) bit; 
otherwise, conduct a bit-by-bit comparison of a positive summand’s digits and the complement of 
the negative’s. Now add the other digits (all but the initial (sign) bit) as an ordinary binary number. 
If the sum is greater than 2”, we have an overflow error. If not, consider the three quantities of the 
two summands and the sum. If exactly zero or two of these are negative, we’re done. Otherwise, 
we need to add (1), to this answer. Also, add an appropriate sign bit to the front of the number. 
Let d= (GQm_1- -- 42@;); and b = (by by _1 . . . bb 1);. Then a + b is obtained by adding the 
digits from right to left with the following rule for producing carries. If a; + b; + cj, where 
cj is the carry from adding a,_, and b;_1, is greater than j, then c; = 1, and the resulting 
jth digit is a;+ b; Pega pad Otherwise, cj= 0. To subtract b from a, assuming a > b, 
we let d; =a; — b; +c;_, and set c; =0 if a; — b; +c;_, is between 0 and j. Otherwise, 

d; =a; — b; + c;_; + j + Land set c; = —1. In this manner, a — b = (dnd « . . dod). 

We have (ay apes a)5)4o => (10(a, PEA 41)10 + 5)? = 100(a, sats a\)%0 + 100(a,, Pare 41)10 +25= 
100(a, . . . 2y)19((Gy - - - 44)49 + 1) + 25. The decimal digits of this number consist of the decimal 
digits of (a, . . . 21) 19((@, - - - 41)19 + 1) followed by 25 because this first product is multiplied by 
100, which shifts its decimal expansion two digits. 


Section 2.3 


11. 


13. 


- ayes b.no c.yes d.yes e.yes_ f. yes 
. First note that (n? + 4n? log n + 101n2) is O(n3) and that (14n log n + 8n) is O(n log n) as in 


Example 2.12. Now applying Theorem 2.3 yields the result. 


. Use Exercise 4 and follow Example 2.12 noting that (log n)? < n3 whenever n is a positive integer. 
. Let k be an integer with 1 < k <n. Consider the function f(k) = (n + 1—k)k, whose graph is a 


concave-down parabola with k-intercepts at k = 0 and k =n + 1. Because f (1) = f(n) =n, itis 
clear that f (k) > n fork =1, 2, 3,...,n.Nowconsider the product (n!)? = Te: kn+1-k)> 
Les n, by the inequality above. This last is equal to n”. Thus, we have n” < (n 12. Taking 
logarithms of both sides yields n log(n) < 2 log(n!), which shows that n log(n) is O(log(n!)). 


. Suppose that f is O(g) where f(n) and g(n) are positive integers for every integer n. Then there 


is an integer C such that f(n) < Cg(n) for all x € S. Then f*(n) < C¥g*(n) for all x € S. Hence, 
f* is O(g*). 

The number of digits in the base b expansion of n is 1 + k where k is the largest integer such that 
bk <n < b‘+! because there is a digit for each of the powers of b°, b!, ..., b*. Note that this 
inequality is equivalent to k < log, n < k + 1, so that k = [log, n]. Hence, there are [log, n] + 1 
digits in the base b expansion of n. 

To multiply an n-digit integer by an m-digit integer in the conventional manner, one must multiply 
every digit of the first number by every digit of the second number. There are nm such pairs. 
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17. 
19. 


21. 


23. 
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a. O(n log? n log, log, n log, log, logyn) b. O((n logn)'**) for any € > 0 

(1100011), 

a. ab = (10% + 10") A,B; + 10"(A; — Ao)(By — By) + (10" + 1)AgBo where A; and B; are 
defined as in identity (2.2). b.6351 —c. 11,522,328 

That the given equation is an identity may be seen by direct calculation. The seven multiplications 
necessary to use this identity are a,4b1;, @j2b9), (@,1 — @1 — Ao2)(b11 — by2 — bo), (Aq, + 
79) (by — by1), (@41 + 212 — G21 — 292)b225 (411 — 421) (b22 — by2), and ay(by — ba, — By. + 
boy). 

Let k = [log, n] + 1. Then the number of multiplications for a x A matrices is Oct). But, 
Te = 2(loge 7) (Hogs nI+1) — C (2/0822 log2 771082 7) — Q(n!°827). The other bit operations are absorbed 
into this term. 


Section 3.1 


-a.yes byes c.yes d.no e.yes_ f.no 


3. 2, 3,5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 
107, 109, 113, 127, 131, 137, 139, 149 
5. none 


7. Using the identity given in the hint with k such that 1 <k <n andk|n, then a* —1|a”—1. 


19. 


21. 


23. 


25. 
27. 


29. 


Because a” — 1 is prime by hypothesis, a — 1= 1. From this, we see that a = 2 and k = 1, 
contradicting the fact that k > 1. Thus, we must have a = 2 and n is prime. 


. We need to assume n > 3 to assure that S, > 1. Then by Lemma 3.1, S,, has a prime divisor p. If 


p <n, then p|n!, and so p|n! — S, = 1, a contradiction. Therefore, we must have p > n. Because 
we can find arbitrarily large primes, there must be infinitely many. 


« 3, 7, 31, 211, 2311, 59 


. Ifnisprime, we are done. Otherwise n/p < (</n). If n/p is prime, then we are done. Otherwise, 


by Theorem 3.2, n/p has a prime factor less than ./n/p < </n, a contradiction. 


-a7 b19 ¢71 
. A positive integer has a decimal expansion ending in 1 if and only if it is of the form 10k + 1 


for some integer k. This represents an arithmetic progression. Because (10, 1) = 1, we may apply 
Dirichlet’s theorem to conclude that there are infinitely many primes of this form. 


A positive integer has a decimal expansion ending in 123 if and only if it is of the form 1000k + 123 
for some integer k. This represents an arithmetic progression. Because (1000, 123) = 1, we may 
apply Dirichlet’s theorem to conclude that there are infinitely many primes of this form. 


Let n be fixed, and let a be the integer with decimal expansion a string of n 1s followed by a 3. 
Consider the arithmetic progression 10"+!k + a. Because a ends in 3, it can not be divisible by 
2 or 5, so (10"+!, a) = 1. Then by Dirichlet’s theorem, there are infinitely many primes in this 
progression, and each has the desired form. 


If n is prime the statement is true for n. Otherwise, n is composite, so n is the product of two 
integers a and b such that 1 < a < b <n. Because n = ab and because by the inductive hypothesis 
both a and b are the product of primes, we conclude that n is also the product of primes. 


a3 


Forn = 0, 1, 2, ... 10, the values of the function are 11, 13, 19, 29, 43, 61, 83, 109, 139, 173, 211, 
each of which is prime. But 2 - 1177+11= 11(2- 114+ 1) = 11- 23,. 


Assume not. Let x9 be a positive integer. It follows that f(x9) = p where p is prime. Let 
k be an integer. We have f (x9 + kp) = a,(xp + kp)” +---+,(%9 + kp) + ag. Note that 


31. 
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by the binomial theorem, (x9 + kp)i = ee (2)xd~" (kp). It follows that f (x9 + kp) = 

DV i=0 a 5% + Np= f(x%9) + Np, for some integer N. Because p | f(xq) it follows that 
P\(f(%) + Np) = f(xo + kp). Because f (x9 + kp) is supposed to be prime, it follows that 
f(%o + kp) = p for all integers k. This contradicts the fact that a polynomial of degree n takes on 
each value no more than n times. Hence f(y) is composite for at least one integer y. 


At each stage of the procedure for generating the lucky numbers the smallest number left, say 
k, is designated to be a lucky number and infinitely many numbers are left after the deletion of 
every kth integer left. It follows that there are infinitely many steps, and at each step a new lucky 
number is added to the sequence. Hence there are infinitely many lucky numbers. 


Section 3.2 


1. 
3. 


24, 25, 26, 27, 28 


Suppose that p, p + 2, and p + 4 were all prime. We consider three cases. First, suppose that 
p is of the form 3k. Then p cannot be prime unless k = 1, and the prime triplet is 3, 5, and 

7. Next, suppose that p is of the form 3k + 1. Then p + 2=3k+3= 3(k + 1) is not prime. 

We obtain no prime triplets in this case. Finally, suppose that p is of the form 3k + 2. Then 

p+4=3k + 6=3(k + 2) is not prime. We obtain no prime triplet in this case either. 


. (7, 11, 13), (13, 17, 19), (37, 41, 43), (67, 71, 73) 


7a5 b7 ¢.29) d.53 
9. 127, 149, 173, 197, 227, 257, 293, 331, 367, 401 


11. 


13. 


15. 


17. 


19. 
21. 
23. 


If p is a prime of the form 105n + 97, then p + 2 = 105n + 99 = 3(35n + 33) which is not prime, 
so p can not be the first member of a prime triple. Also, p — 2 = 105n + 95 = 5(21n + 19), which 
is not prime, so p can not be the second member of a prime triple. Finally, p — 6 = 105n + 91= 
7(15n + 13) is not prime, so p can not be the third member of a prime triple. Because (97, 105) = 1, 
Dirichlet’s theorem tells us that the arithmetic progression 105n + 97 contains infinitely many 
such primes. 


a.7=3424+2 b17=11434+3 ¢27=234+24+2 4.97=89+4+5+4+3 
e.101=974+2+4+2 f.199=191+5+43 


Suppose that n > 5 and that Goldbach’s conjecture is true. Apply Goldbach’s conjecture to n — 2 
if n is even, or n — 3 if n is odd. Conversely, suppose that every integer greater than 5 is the sum 
of three primes. Let n > 2 be an even integer. Then n + 2 is also an even integer that is the sum 
of three primes, not all odd. 


Let p <n be prime. Using the division algorithm, we divide each of the first p + 1 integers in the 
sequence by p to geta=qgp +1,a+k=qipt+r,...,a+ pk=Q,+Trp, withO <r; <p 
for each i. By the pigeonhole principle, at least two of the remainders must be equal, say, r; = r;. 
We subtract the corresponding equations to get a + ik —a — jk =qQ,;p + 7; — qj;p +1;, which 
reduces to (i — j)k = (q; — q;)p. Therefore p|(i — j)k, and because p is prime, it must divide 
one of the factors. But because (i — j) < p, we must have p|k. 


The difference is 6, achieved with 5, 11, 17, 23. 
The difference is 30, achieved with 7, 37, 67, 97, 127, 157. 


If p* — qg® = 1, with p, q primes, then p or q is even, so p or q is 2. If p = 2, there are several 
cases: we have 2% — q® = 1. If w is even, say, a = 2k, (2% — 1) = (2* — 1)(2 + 1) =q8. So 

q\(2* — 1) and q|(2* + 1); hence, q = 1, a contradiction. If a is odd and B is odd, 2* = 1+ gq’ = 
(1+ q)(q8-! — g8-2 + ---+ 1). So1+q = 2" for some n. Then 2% = (2” — 1)8 + 1= 2"(odd 
number), because f is odd. So 2*~” = odd number, and so a = n. Therefore, 2* = 1+ (2% — 14 
and so B = 1, which is not allowed. If a = 2k + 1 and B = 2n we have 2+! = 1 + q". Because 
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27. 
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33. 
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q is odd, q? is of the form 4m + 1, and by the binomial theorem, so is q7". Thus, the right- 
hand side of the last equation is of the form 4m + 2, but this forces k = 0, a contradiction. If 
q = 2, we have p® — 28 = 1. Whence 28 = (p — 1)(p®-!+ p* *+---+ p+1), where the 
last factor is the sum of a odd terms but must be a power of 2; therefore, a = 2k for some k. 
Then 28 = (p* — 1)(p* + 1). These last two factors are powers of 2 that differ by 2, which forces 
k=1,a=2, B =3, p =3, and gq = 2 as the only solution: 3* — 23 = 1. 


Because 3p > 2n, p and 2p are the only multiples of p that appear as factors in (2n)!. So p 
divides (2n)! exactly twice. Because 2p > n, p is the only multiple of p that appears as a factor in 
n!. So p | n! exactly once. Then, because (a) = 2n!/(n'n}), the two factors of p in the numerator 
are canceled by the two in the denominator. 

By Bertrand’s conjecture, there must be a prime in each interval of the form (2k-1, 2), for 

k = 2, 3, 4,.... Thus, there are at least k — 1 primes less than 2k Because the prime 2 isn’t 
counted here, we have at least k primes less than 2k. 


Because 1/1is an integer, we may assume n > 1. First suppose that m <n.Then1/n+1/@+1)+ 
s+ 1/(a4+m) <1/n4+1/M@4+)4+---+1/(2n -—1) <1/n+1/n+---+1/n< n/n) =1, 
so the sum can not be an integer. Now suppose m > n. Then by Bertrand’s postulate, there 

is a prime p such that n < p<n-+m. Let p be the largest such prime. Then n + m < 2p; 
otherwise, there would be a prime q with p < q < 2p <n-+™, conwadicting the choice of p. 
Suppose that 1/n + 1/m+1)+---+1/p+---+1/(+m) =a where a is an integer. Note 
that p occurs as a factor in only one denominator, because 2p >n +m. Let Q = aes i: 
and let Q; = Q/i, fori=n,n+1,...,n-+m. If we multiply the equation by Q, we get 
Qn + Qn4it++:>+ Qpt--++ Qnim = Qa. Note that every term on both sides of the equation 
is divisible by p except for Q,. If we solve the equation for Q,, and factor a p out of the other 
side, we have an equation of the form Q,, = pN where N is some integer. But this implies that p 
divides Q pa contradiction. 


Suppose n has the stated property and n > p” for some prime p. Because p? is not prime, there 
must a prime dividing both p? and n, and the only possibility for this is p itself, that is, pjn. Now 
if n > 7°, then it is greater than 2”, 32, and 5”, and hence divisible by 2, 3, 5, and 7. This is the 
basis step for induction. Now assume n is divisible by p,, po, ..., Px. By Bonse’s inequality, 
Py 41 < PiP1*** Pk <1, SO Py4;|n also. This induction implies that every prime divides n, which 
is absurd. Therefore, if n has the stated property, it must be less than 7* = 49. To finish, check the 
remaining cases. 


First suppose n > 8. Note that by Berwand’s postulate we have p,_, < Pp, < 2p,_; and 
Pn—2 < Pn—1< 2Pn—2- Therefore, py < (2pn—1)(2Pp—1) < (2Pn—1)(4Pn—2) = 8Pn—1Pn—-2 = 
Pn—1Pn—2P5 < Pn—1Pn—2Pn—3» because n > 8. Now check the cases n = 6 and 7. 


From Corollary 3.4.1, we expect pj 999,999 ~ 10° log 10° ~ 10°6(2.306) = 13,836,000. The 
millionth prime is, in fact, 15, 485, 863. 


Section 3.3 

laS bill «6 d.loell £2 

3. a 

5. 1 

7. Let a and b be even integers. Then a = 2k and b = 21 for some integers k and /. Let d = (a, b). 


Then by Bezout’s theorem, there exist integers m and n such that d = ma + nb =m2k 4+ n2l = 
2(mk + nl). Therefore 2 | d, and so d is even. 


23. 


25. 


27. 


29. 


31. 
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. By Theorem 3.8, (ca, cb) = cma + cnb = |c|- |ma + nb|, where cma + cnb is as small as 


possible. Therefore, |ma + nb| is as small a positive integer as possible, i.e., equal to (a, b). 


- lor2 
. Let a = 2k. Because (a, b) | b, and b is odd, (a, b) is odd. But (a, b) | a = 2k. Thus, (a, b) | k. 


So (a, b) = (k, b) = (a/2, b). 


. Let d = (a, b). Then (a/d, b/d) =1, so if g|a/d, then (g, b/d) = 1. In particular, if we let 


e = (a/d, bc/d), then ela/d, so (e, b/d) = 1, so we must have e|c. Because el|a/d, then ela, 
so e|(a, c). Conversely, if f = (a, c), then (f, b) = 1, so (d, f) = 1, so f|a/d, and, trivially, 
f |\bc/d. Therefore f |e, whence e = f. Then (a, b)(a, c) = de = d(a/d, bc/d) = (a, be). 


. 10, 26, 65 
.a2 b5 ¢«99 d.i3 e7~ £1001 


. Let A = (a), a2, ..., a,) and D = (ca, cap, ..., ca,). Then for each i, we have A | a;, so that 


cA | ca;. Thus, cA | D. Next, note that for each i, c | ca;, soc | D. Then D = cd for some integer 
d. Then for each i, D = cd | ca;, and hence d | a;. Therefore d | A, and so D = cd | cA. Because 
cA | D and D | cA, we have cA = D, which completes the proof. 


Suppose that (6k + a, 6k + b) =d. Then d | b — a. We have a, b € {—1, 1, 2, 3, 5}, soifa <b, 
it follows that b — a € {1, 2, 3, 4, 6}. Hence, d € {1, 2, 3, 4, 6}. To show that d = 1, it is sufficient 
to show that neither 2 nor 3 divides (6k + a, 6k + b). If p =2 or p =3 and p | (6k +a, 6k + b), 
then p | a and p | b. However, there are no such pairs a, b in the set {—1, 1, 2, 3, 5}. 


Applying Theorem 3.7, we have (8a + 3, 5a + 2) = (8a +3 — (Sa + 2), Sa + 2) = Ga + 

1, 5a + 2) = Gat 1, 5a+2— Bat 1) = Gat 1, 2a4+ 1) = Ba+1- (2a4+1),2a+1)= 
(a, 2a + 1) = (a, 2a + 1 — 2a) = (a, 1) = 1, so 8a + 3 and Sa + 2 are relatively prime. 
Applying Theorem 3.7 to the numerator and denominator, we have (15k + 4, 10k + 3) = (15k + 
4 — (10k + 3), 10k +. 3) = (Sk +1, 10k + 3) = (Sk + 1, 10k + 3 — 2(5k + 1)) = 5k +1, ) = 1. 
Because the numerator and denominator are relatively prime, the fraction must be in lowest terms. 
From Exercise 21, we know that 6k — 1, 6k + 1, 6k + 2, 6k + 3, and 6k + 5 are pairwise 


relatively prime. To represent n as the sum of two relatively prime integers greater than 1, 
letn = 12k +h,0<h < 12. We now examine the twelve cases, one for each possible value of h: 


= 


n 

(6k — 1) + (6k +1) 
(6k — 1) + (6k +2) 
(6k — 1) + (6k +3) 
(6k + 1) + (6k +2) 
(6k + 1) + (6k + 3) 
(6k + 2) + (6k + 3) 
(6k + 1) + (6k +5) 
(6k + 2) + (6k +5) 
(6k + 3) + (6k +5) 

(12k +7) +2 

(12k +7) +3 

(12k + 9) +2 


Applying Theorem 3.7, we have (2n? + 6n — 4, 2n? + 4n — 3) = (2n? + 6n — 4 — (2n? + 4n — 
3), 2n? + 4n — 3) = (2n — 1, 2n? + 4n — 3) = (2n — 1, 2n? + 4n — 3—n(2n — 1)) =(2n — 

1, 5n — 3) = (2n — 1, Sn —3 — 2(Q2n — 1)) = (Qn —-1,n -1)=(2Qn-1-2(n-1),n-D= 
(1, n — 1) = 1, so the numbers are relatively prime. 
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1? 5? 4° 3° 5? 2? 57 3° 4° 5° 1 

From Exercise 36, we have cb — ad = de — cf = 1. Then c(b+ f) =d(a+e), and so 
c/d=(a+e)/(6+ f). 

Because a/b < (a+ c)/(b +d) <c/d, we must have b + d >n, or a/b and c/d would not be 
consecutive, because otherwise, (a + c)/(b + d) would have appeared in the Farey series of order 
n. 


Because (a/b) + (c/d) = (ad + bc)/bd is an integer, bd | ad + bc. Certainly, then, bd | 
d(ad + bc) = ad? + cbd. Now, because bd | cbd, it must be that bd | ad”. From this, bdn = ad? 
for some integer n, and it follows that bn = ad, or b | ad. Because (a, b) = 1, we must have b | d. 
Similarly, we can find that d | b; hence, b = d. 


Consider the lattice points inside or on the triangle with vertices (0, 0), (a, 0), and (a, b). Note 
that a lattice point lies on the diagonal from (0, 0) to (a, b) if and only if [bx/a] is an integer. 
Let d = (a, b) anda = cd, so that (c, b) = 1. Then [bx /a] will be an integer exactly when x is a 
multiple of c, because then d|b and c|x so then a = cd|bx. But there are exactly d multiples of 
c less than or equal to a because cd = a, so there are exactly d + 1 lattice points on the diagonal 
when we count (0, 0) also. So one way to count the lattice points in the triangle is to consider 
the rectangle that has (a + 1)(b + 1) points and divide by 2. But we need to add back in half the 
points on the diagonal, which gives us (a + 1)(b + 1)/2 + ((a, b) + 1)/2 total points in or on the 
triangle. Another way to count all the points is to count each column above the horizontal axis, 
starting with i = 1, 2,...,a— 1. The equation of the diagonal is y = (b/a)x, so for a given i, 
the number of points on or below the diagonal is [bi /a]. So the total number of interior points in 
the triangle plus the points on the diagonal is yt bi /a]. Then the right-hand boundary has b 
points (not counting (a, 0)) and the lower boundary has a + 1 points (counting (0, 0)). So in all, 
we have ya [bi /a}+a+b-+ 1 points in or on the triangle. If we equate our two expressions 
and multiply through by 2, we have (a+ 1)(b+ 1)+ (a, b) +1=2 Dae [bi/a] + 2a + 2b + 2, 
which simplifies to our expression. 

Assume there are exactly r primes and consider the r + 1 numbers (r + 1)!+ 1. From Lemma 
3.1, each of these numbers has a prime divisor, but from Exercise 34, these numbers are pairwise 
relatively prime, so these prime divisors must be unique, and so we must have at least r + 1 
different prime divisors, a contradiction. 


Section 3.4 


a1l5 b6 62 d5 


a. (—1)75 + (2)45__b. (6)222 + (—13)102 _ c. —138(666) + (65)1414 d. —1707(20,785) + 
800(44,350) 


5.a.1 b7 ¢.5 
7. a.16-6—8-10—15 b.105—21-70+14-98 ¢.0-280+0- 330 —75- 405+ 62-490 


11. 
13. 


2 
2n —2 
Suppose we have the balanced ternary expansions for integers a > b. If both expansions end in 


zero, then both are divisible by 3, and we can divide this factor of 3 out by deleting the trailing 
zeros (a shift), in which case (a, b) = 3(a/3, b/3). If exactly one expansion ends in zero, then we 
can divide the factor of 3 out by shifting, and we have (a, b) = (a/3, b), say. If both expansions 
end in 1 or in —1, then we can subtract the larger from the smaller to get (a, b) = (a — BD, b), say, 
and then the expansion for a — b ends in zero. Finally, if one expansion ends in 1 and the other in 
—1, then we can add the two to get (a + b, b), where the expansion of a + b now ends in zero. 


15. 


17. 
19. 


21. 


23. 


25. 
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Because a + b is no larger than 2a and because we can now divide a + b by 3, the larger term is 
reduced by a factor of at least 2/3 after two steps. Therefore, this algorithm will terminate in a 
finite number of steps, when we finally have a = b = 1. 


Let ro = a andr, = b be positive integers with a > b. By successively applying the least-remainder 
division algorithm, we find that 


mal ry 
19 =1191 + €2r2, a < e212 < 3 


—Tn-1 Tn-1 
Tn—-2 =Tn—-19n-1 + CnT ns ) < enn S 


Trh-1 >="nAn- 


We eventually obtain a remainder of zero because the sequence of remainders a = rg > r, > 12 > 
- ++ > Ocannot contain more than a terms. By Lemma 3.3, we see that (a, b) = (79, 71) = (71, 72) = 
** += (%__25 Tn-1) = Tn—15 Tn) = ps 0) = TM. Hence (a, b) = r,, the last nonzero remainder. 
Let V2 = U3 = 2, and for i > 4, vU3= 2v;_4 + vj~-2- 

Performing the Euclidean algorithm with 797 = m and r; =n, we find that 79 = 719, +7, 0< 
12 <7 1,7] =1292 +13,0< 73 < 70, ~-- 5 M3 =M e292 + e190 < Te_-1 <1 e_2, and 7,2 = 
Tx-19k—1. We have (m, n) =7r;,_1. We will use these steps to find the greatest common divisor 
a™ — 1 and a” — 1. First, we show that if u and v are positive integers, then the least positive 
residue of a“ — 1 modulo a” — 1 is a’ — 1, where r is the least positive residue of u modulo v. 
To see this, note that u = vq +r, where r is the least positive residue of u modulo v. It follows 
that a” —1=a"9t” —1= a" — 1)(a*G-Y4 4... 4.a"t" 4a") + (a” — 1). This shows that 
the remainder is a’ — 1 when a” — 1 is divided by a” — 1. Now let Rj = a” — land R; =a" — 1. 
When we perform the Euclidean algorithm starting with Ro and R;, we obtain Ro = R,Q,+ Ro, 
where R, = a” — 1, Ry = R,Q. + R3 where R3=a"3 —1,..., Ry_3 = Ry_2Qx_2 + Ry_; where 
R,-1= a’-1—1. Hence, the last nonzero remainder, R,y-y=a"1-1= a™-”) _ 1 is the greatest 
common divisor of a” — 1 and a” — 1. 


Note that (x, y) = (x — ty, y), as any divisor of x and y is also a divisor of x — ty. Therefore, 
every move in the game of Euclid preserves the g.c.d. of the two numbers. Because (a, 0) = a, if 
the game beginning with {a, b} terminates, then it must do so at {(a, b), 0)}. Because the sum of 
the two numbers is always decreasing and positive, the game must terminate. 


Choose the integer m so that d has no more than m bits and that g has 2m bits, appending extra 
zeros to the front of q if necessary. Then m = O(log, q) = O(log, d). Then from Theorems 2.7 
and 2.5, we know that there is an algorithm for dividing q by d in O(m”) = O(log, q log, d) 
bit operations. Now let n be the number of steps needed in the Euclidean algorithm to find the 
greatest common divisor of a and b. Then by Theorem 3.12, n = O(log, a). Let q; and r; be as in 
the proof of Theorem 3.12. Then the total number of bit operations for divisions in the Euclidean 
algorithm is )“/_, O(log, q; logy r;) = )o7_, O (logy g; logy b) = O (log, b D7, log, qi) = 

O (log, b logy a he qi) . By dropping the remainder in each step of the Euclidean algorithm, 


we have the system of inequalities 7; > 7;419;4;, fori =0, 1,...,— 1. Multiplying these 
inequalities together yields 5 r; = []j_ 714i Cancelling common factors reduces this to 


a=ro=r, Tet q;. Therefore, from above, we have that the total number of bit operations is 
O (log, b log, JT j_; 9:1) = O (log, b logy a) = O(log, a)”. 

We apply the Q;’s one at a time. When we multiply q,, 11 07,0 = QpTnTn =1n-1Tn, the top 
component is the last equation in the series of equations in the proof of Lemma 3.3. When we 
multiply this result on the left by the next matrix we get q,_ 11107, 7, = @n—17n—-1 + Tn’n_-1 = 
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Yn—2%n—1, Which is the matrix version of the last two equations in the proof of Lemma 3.3. In 
general, at the ith step we have gy_;110rn_j;—17p—i = Un—iTn—i—1 + 'n—iTn—i—-1 = 'n-i-2n-i_-b> 
so that we inductively work our way up the equations in the proof of Lemma 3.3, until finally we 
have ror; = ab. 


Section 3.5 

1. a. 27-32 b.3-13 10? =27-5% d.17* @2-111=2-3-37 £28 g.5-103 
h. 23-43 £.10-504=2-5-4-126=24.37-5-7 j.8-109=29.53 k.3-5-7%-13 
1.9-1111=3*-11- 101 

. 3-5-7-11- 13-17-19 

5. a.2,3 b.2,3,5  c.2,3,5,7, 11, 13,17,19 d.2, 3, 7, 13, 29, 31, 37, 41, 43, 47 


7. integers of the form p? where p is prime; integers of the of the form pq or p* where p and q are 


iv) 


distinct primes. 
9, Letn= pi” ps 2... py*q? peta ages tee ar” "+3 be the factorization of a powerful number. Then 
a, _a a, by b b j 
n= (pi'pp? +++ Py'qy'9y° °° q')? (4192 - ++ q) is a product of a square and a cube. 


11. a. Suppose that p® || m and p? ||n. Then m = p*Q and n = p®R, where both Q and R are 
products of primes other than p. Hence, mn = (p?Q)(p®R) = p**® QR. It follows that p?+? || mn 
because p does not divide QR. b. If p* || m then m = p“n, where p jn. Then p { n* and we 
have m* = p*@n* and we see that p*? || m*.¢. Suppose that p? || m and p® || n witha # b. Then 
m = p*Q andn = p® R where both Q and R are products of primes other than p. Suppose, without 
loss of generality, that a = min(a, b). Thenm + n= p*Q + p?R= peme) oO + p>-¢R). Then 
p { (OQ + p®-R) because p J Q but p | p?-@R. It follows that p™™@) || (m +n). 

13. 218.38. 54.72.11-13-17-19 

15. 300, 301, 302, 303, 304 


17. We compute wf = (ac — 5bd) + (ad + bc)./—S. Thus, N(wB) = (ac — 5bd)? + 5(ad + bc)? = 
a*c” — 10acbd + 25b2d? + 5a2d? + 10adbc + 5b*c? = a?(c? + 5d”) + 5b? (Sd? + c*) = (a? + 
5b?) (c? + 5d?) = N(a) N(B). 

19. Suppose 3 = af. Then by Exercise 17, 9 = N(3) = N(a@)N(B). Then N(@) = 1, 3, or 9. Let 
a =a-+b./—5. Then we must have a” + 5b? = 1, 3, or 9. So either b = 0 and a = +1 or +3, 
or b = +1 and a = +2. Because a = +1, b = 0 is excluded, and because a = +3 forces 8B = +1, 
we must have b = +1. That is, a = +2 + ./—5. But then N(a) = 9, and hence N(8) = 1, which 
forces B = +1. 


21. Note that21=3-7= (1+ 2/—5)(1 — 2\/—5). We know 3 is prime from Exercise 19. Similarly, 
if we seek a = a + b»/—5S such that N(a) = a? + 5b” =7, we find there are no solutions. For 
|b| = 0 implies a* =7, |b| = 1implies a* = 2, and |b| > 1implies a” < 0, and in each case there is 
no such a. Hence, if a8 = 7, then N(@B) = N(a) N(B) = N(7) = 49. So one of N(@) and N(B) 
must be equal to 49 and the other equal to 1. Hence, 7 is also prime. We have shown that there 
are no numbers of the form a + b./—5 with norm 3 or 7. So in a similar fashion to the argument 
above, if a8 = 1+2./—5S, then N(aB) = N(a)N(B) = N(1+ 2/—5) =21. And there are no 
numbers with norm 3 or 7, so one of @ and # has norm 21 and the other has norm 1. Hence, 
1+ 2/—5 is also prime. 

23. The product of 4k + land 4/ + lis (4K + 1)4l + 1) =16kl + 4k+41+1=44k1+k4+04+1= 
4m + 1, where m = 4kl + k +l. Hence, the product of two integers of the form 4k + 1 is also of 
this form. 


25. We proceed by strong mathematical induction on the elements of H. The first Hilbert number 
greater than 1—5—is a Hilbert prime because it is an integer prime. This completes the basis step. 


37. 


39. 
41. 


43. 


45. 


47. 


. Let a= pp; --- pt and b= p''p, 
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For the inductive step, we assume that all numbers in H less than or equal to n can be factored 
into Hilbert primes. The next greatest number in H isn + 4. If n + 4 is a Hilbert prime, then we 
are done. Otherwise, n + 4 = hk, where h and k are less than n + 4 and in H, and so both are less 
than or equal to n. By the inductive hypothesis, h and k can be factored into Hilbert primes. Thus, 
n+ 4can be written as the product of Hilbert primes. 


. 1,2, 3, 4, 6, 8, 12, 24 
.a.77 b.36 ¢.150 4d. 33,633 + .605,605__—‘f. 277,200 
. a. 22395372, 27395977 Sob. 1, 2-3-5-7-11- 13-17: 19-23-29 


c.2-5-11, 23-3-57-7-113-13 ds 101109 4411471179111g3111]¢ 11001 


. the year 2121 


p24 *k where p; i ri d nd s; non- 
* Dis p; is a prime and r; and s; are 


negative. (a, b) = po 51). ae prt) and [a, b]= pee 5) ses pore. So [a, b]= 


(a, b)p pax i)-min Dies poe kSi)—MiN("eSk) Because max(r;, 5;) — min(r;, s;) is clearly 


nonnegative, we now see that (a, b) | [a, b], and we have equality when max(r,, s;) — min(7;, s;) = 
O for each i, that is, if r; = s; for each i, that is if a = b. 


a. If [a, b] | c, then because a | [a, b], a| c. Similarly, b | c. Conversely, suppose that a = 


Pi'Py - pa and b = Dips . pen andc = Pip: - ++ py” If.alc and b|c, then max(a;, b;) < c; 
fori = 1,2,...,”. Hence, [a, b] | c. b. We proceed by induction on n. The basis step is given by 
part (a). Siinposs the result holds for sets of n — 1 integers. Then [a,, ..., a,]| d if and only if 
[[aj,---,@,—1], @,] | d. (See Exercise 49.) This is true if and only if [a,,...,a,_;]|d anda, |d 


by part (a). By the induction hypothesis, this is true if and only if a; | d fori = 1, 2,..., n. This 
completes the induction step. 


Assume that p | a" =+|a|-|a|---|a|. Then by Lemma 3.5, p || a | and so p | a. 


a. Suppose that (a, b) = 1 and p | (a”, b”) where p is a prime. It follows that p | a” and p | b”. 
By Exercise 41, p | a and p | b. But then p | (a, b) = 1, which is a contradiction. b. Suppose that 
a does not divide b, but a” | b”. Then there is some prime power, say, p”, that divides a but does 
not divide b (or else a | b by the fundamental theorem of arithmetic). Thus, a = p’ Q, where Q is 
an integer. Now a” = (p’Q)" = p’"Q", so p™ | a” | b”. Then b” = mp", from which it follows 
that each of the n b’s must by symmetry contain r p’s. But this is a contradiction. 


Suppose that x = /2 + /3. Then x2 =2+4+ 2V2V34+3=5+ 2V6. Hence, x2 —5=2v6. It 
follows that x* — 10x? + 25 = 24. Consequently, x* —10x7+1=0. By Theorem 3.17, it follows 
that /2 + /3 is irrational, because it is not an integer (we can see this because 3 < 42+V/3<« 4). 


Suppose that m/n = log, b. This implies that p* =b, from which it follows that p” = b". 
Because b is not a power of p, there must be another prime, say, g, such that q | b. But then 
q|b|b" = p™ = p- p--- p. By Lemma 24, q | p, which is impossible because p is a prime 
number. 


hb 


Leta = p;'p;--- pt, b= pips: ++ pit, andc = pip? - .- p,*, with p; prime and r;, s;, and t; 
nonnegative. Observe that min(x, max(y, z)) = maka, y), min(x, z)). We also know that 
[a, b]= = pe pee, 7 ge and so ([a, bj, c)= pp pee ee 


Hina als . We also know that (a, c) = peeee 1) poe ), pee and (b, c) = 


pring f) pmin(sa, 7) prninet) Then [ (a, c) (b oe = po ey) 
pinsxanin(rata).min(sza)) . | ymaxtmin(ritt)-min(s4)) Therefore, ([a, bl, c) = [(a, c), (b, c)]. In 
a similar manner, noting that min(max(x, z), max(y, z)) = max(min(x, y), z), we find that 


[(a, b), c] — ([a, c], [b, c}). 
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49. 


51. 


53. 


55. 


57. 


59. 
61. 
63. 


65. 


67. 
69. 


71. 
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Let c = [a),..., ay], d = [[ay, ..., @,_1], a,], and e = [ay, ..., a,_;]. If c | m, then all a;’s 
divide m, and hence e | m and a, | m, sod | m. Conversely, if d | m, then e | m and a,, | m, and so 
all a;’s divide m; thus c | m. Because c and d divide all the same numbers, they must be equal. 


a. There are six cases, all handled the same way. So without loss of generality, suppose 
that a < b <c. Then max(a, b, c) =c, min(a, b) = a, min(a, c) =a, min(b, c) = b, and 
min(a, b, c) =a. Hence, c = max(a, b, c) =a+b-+c — min(a, b) — min(a, c) — min(b, c) + 
min(a, b,c) =a+b+c—a-—a-—b-+a.b. The power of a prime p that occurs in the prime 
factorization of [a, b, c] is max(a, b, c) where a, b, and c are the powers of this prime in the 
factorizations of a, b, and c, respectively. Also, a + b+ c is the power of p in abc, min(a, b) 
is the power of p in (a, b), min(a, c) is the power of p in (a, c), min(b, c) is the power 

of p in (b, c), and min(a, b, c) is the power of p in (a, b, c). It follows thata+b+c-— 
min(a, b) — min(a, c) — min(b, c) is the power of p in abc(a, b, c)/((a, b)(a, c)(b, c)). Hence, 
[a, b, c]=abc(a, b, c)/((a, b)(a, c)(b, c)). 


Let a= pi'p;?--- pit, b= pip; ++ pe, and c= pip? --- pé, with p; prime and 7, s;, 


; ri+sy+t; min(r;,5;,t; j+s;+t;—min(7;,5;,t; 
and t; nonnegative. Then poe || abc, but p, Giese) | (a, b, c) and poe min(r;,5;,t) I 
min(r;,5;,t;) rj+sj;+t;—min(7;,8;,4) _ tsy tt; 


[ab, ac, ab], and p; 2D; F 
Let a= Pips --+ pik, b= pip, --- pe, and c= Pip? wee Pe, with p; prime and 7;, 5;, 


min(r},5;,t;) _min(7rp,5,t2) min(r,, 5; ,tx) 
1 P2 eee Pr ’ 


and t; nonnegative. Then, using that (a, b,c) =p and 


S16 352 ,1- Spy A . e 7 
[a, b, c]J= ye Sf) P> ax(r.sart) |, pa 3k i) we can write the prime factorization of 


([a, b], [a, c], [b, c]) and [(a, b), (a, c), (b, c)]. For instance, consider the case where k = 1. 
Then ([a, bl, la, ch, [b, c)) 2 Ge, Do pre?) = fran cae a Ge 


Similarly, [(a, b), (a,c), (b, c= paca as mc nD Clearly, these two are equal 
(examine the six orderings 7, > 5; >t), ...). 


First note that there are arbitrarily long sequences of composites in the integers. For example, 
(n+ 2)!+2, (7+2)!+3,...,(a2+2)!+ (+ 2) is a sequence of n consecutive composites. 
To find a sequence of n composites in the sequence a, a + b, a + 2b, ..., look at the integers 
ina,a+b,a+ 2b, ... with absolute values between (nb + 2)!+ 2 and (nb + 2)!+ (nb + 2). 
There are clearly n or n + 1 such integers, and all are composite. 


103 
701 


Leta =]]}_, P;' andb=[]j_, pe ‘The condition (a, b) = 1 is equivalent to min(a;, 8;) = 0 for 
all i, and the condition ab = c” is equivalent ton | (a; + §;) for all i. Hence, n | a; and 8; = 0 or 


n | B; anda; = 0. Let d be the product of P;' /” over all i of the first kind, and let e be the product 


/ 


of p;' ” over all i of the second kind. Then d” = a and e” = b. 


Suppose the contrary and that a < n is in the set. Then 2a cannot be in the set. Thus, if there are 


k elements in the set not exceeding n, then there are k integers between n + 1 and 2n that cannot 
be in the set. So there are at most k + (n — k) =n elements in the set. 


m=nor {m, n} = {2, 4} 


For j #i, p;|Qj;, because it is one of the factors. So p; must divide S — Liz Q,;=Q;= 
P1°** Pi-1Pi+1°** Pr» but by the fundamental theorem of arithmetic, p; must be equal to one of 
these last factors, a contradiction. 


Let p be the largest prime less than or equal to n. If 2p were less than or equal to n, then Berwand’s 
postulate would guarantee another prime q such that p < q < 2p <n, conwadicting the choice 
of p. Therefore, we know that n < 2p. Therefore, in the product n! = 1-2-3---n, there appears 


73. 


75; 
77. 
79. 


81. 


83. 


85. 


87. 


89. 
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only one multiple of p, namely, p itself, and so in the prime factorization of n, p appears with 
exponent 1. 


a. Uniqueness follows from the Fundamental Theorem. If a prime p,; doesn’t appear in the prime 
hele ra men we include it in the product with an svyoutt of 0. Because e; > 0, we have 

Pi = pips -- -pr< < p;'p,’ --- p® =m. b. Because pii< P; '<m< Q=p?, we take logs of 
both sides to get e; log p; <n log ye Solving for e; gives the first inequality. If 1< m < Q, then 
m has a prime-power factorization of the form given in part (a), so the r-tuples of exponents count 
the number of integers in the range 1 < m < Q. c. To bound the number of r-tuples, by part (b) 

there are at most Cn + 1 choices for each e;, and therefore there are at most (Cn + 1)” r-tuples, 
which by part (b) gives us p* < (Cn + 1)" =(n(C + 1/n))’ <n"(C + 1)’. d. Taking logs of both 
sides of the inequality in part (c) and solving for n yields n < (r logn + log(C + 1))/ log p,, but 
because n grows much faster than log n, the left side must be larger than the right for large values 
of n. This contradiction shows there must be infinitely many primes. 


S(40) =5, S(41) = 41, S(43) = 

a(n) = 1, 2, 3, 4, 5, 9, 7, 32, 27, 25, 11,... 

From Exercise 78, we have S(p) = p whenever p is prime. If m < p and m|S(p)!= p!, then 

m|(p — 1)!, so S(p) must be the first time that S(m) takes on the value p. Therefore, of all the 

inverses of p, p is the least. 

Let n be a positive integer and suppose n is square-free. Then no prime can appear to a power 

greater than 1 in the pees factorization of n. Son = p,p2--- p, for some distinct primes 

p;- Then rad(n) = p,p2--- p, =n. Conversely, if n is not square-free, then some prime factor 
. . . . _ ya by b 

P appears to a power greater than 1 in the prime-power factorization of n. Son = p{ py": ++ p,” 

with a > 2. Then rad(n) = pj p2-** Pr <7. 

Because every prime occurring in the prime-power factorization of mn occurs in either the 

factorization of m or n, every factor in rad(mn) occurs at least once in the product rad(m)rad(7), 

which gives us the ra Ifm = mea +++ pe andn = q’ ee @ * are relatively prime, then we 

have rad(mn) = Pp --+ P+ °° + Qs = rad(m)rad(n). 

First note that if p | @ ys then p < 2n. This is wue because every factor of the numerator of 

7") = = our i is less than or equal to 2n. Let = P;'P>” --- py be the factorization of C ) into 

distinct primes. By the definition of 2, k < 1(2n). By Exercise 84, D;' < 2n. It now follows that 

7") = pip? --- py < (2n)(2n) - - - (2n) < (2n)™ 2”), 


Note that CG )< ys 7") = (1+ 1)" = 2". Then from Exercise 86, n™2”)-*@) < C") < 22", 
Taking logarithms gives (2 (2n) — m(n)) logn < log(22") = n log 4. Now divide by log n. 

Note that 2" = |]"_,2<[|"_,@ +.a)/a = (*"). Then by Exercise 85, 2" < (2n)™ 2"). Taking logs 
gives 1 (2n) > n log 2/ log 2n. Hence, for a real number x, we have 2 (x) > [x / 2] log 2/ log [x] > 
c,x/ log x. For the other half, Exercise 65 gives m(x) — m(x/2) < ax/ log x, where a is a 
constant. Then log x/22(x/2™) — log x/2"t1n(x/2™+}) < ax/2” for any positive integer m. 
Then log x(x) = D9 (log x/2™ x (x/2™)— log x/2™ +1 (x/2™t1)) < ax YY) 9 1/2" < cox, 
where v is the largest integer such that 2°! < x. Then 2(x) < cpx /log x. 


Section 3.6 


1. 
3. 


a. 3-5%-73-13-101 b.113-13-19-641 ©.13-17-19-47-71-97 


a. 143 = 12? —1= (12+ 1)(12—1)=13-11 b.2279 = 482 — 52 = (48 + 5)(48 — 5) = 53- 43 
c. 43 is prime. d. 11413 = 107% — 6 = (107 + 6)(107 — 6) = 113- 101 
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11. 


13. 


15. 


17. 


19, 
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. Note that (50 + n)? = 2500 + 100n + n? and (50 — n)* = 2500 — 100n + n?. The first equation 


shows that the possible final two digits of squares can be found by examining the squares of 
the integers 0, 1,..., 49, and the second equation shows that these final two digits can be 
found by examining the squares of the integers 0, 1, ... , 25. We find that 0? =0, 12 =1, 27 = 
4, 37 =9, 47 = 16, S* = 25, 6” = 36, 7? = 49, 8* = 64, 9? = 81, 10? = 100, 117 = 121, 12? = 
144, 132 = 169, 147 = 196, 15? = 225, 167 = 256, 17* = 289, 18? = 324, 19 = 361, 207 = 
400, 217 = 441, 227 = 484, 23” = 529, 247 = 576, and 25” = 625. It follows that the last two 
digits of a square are 00, e1, e4, 25, 06, and e9, where e represents an even digit and o represents 
an odd digit. 

2 2 


. Suppose that x? — n is a perfect square with x > (n + p*)/2p, say, a”. Now, a2 = x2 —n> 


((n + p?)/2p)? —n = ((n — p”)/2p)?. It follows that a > (n — p”)/2:p. From these inequalities 
for x and a, we see that x +a>n/p, orn < p(x +a). Also, a2 = x” —7n tells us that 

(x — a)(x + a) =n. Now, (x — a)(x + a) =n < p(x + a). Canceling, we find that x — a < p. 

But because x — a is a divisor of n less than p, the smallest prime divisor of n, it follows that 


x —a=1. In this case, x = (n + 1)/2. 


. From the identity in Exercise 8, it is clear that if n =n, is a multiple of 2k + 1, then so 


is nz, because it is the sum of two multiples of 2k + 1. If (2k + 1) | nz, then (2k + 1) | 7; 
and it follows from r, < 2k + 1 that 7, = 0. Thus, n, = (2k + 1)q,. Continuing, we see that 
n=n-+ 2n;, — 2(2k + 1g, = (2k + I)n + 2(ny — kn) — 2(2k + 1)q,. It follows from Exercise 8 
that n = (2k + I)n — 2(2k + 1) DFT} qj — 2(2k + Igy = (2k + In — 2(2k + 1) OE, gj. Using 
Exercise 8 again, we conclude that n = (2k + 1)(n — 2 an qj) = (2k + l)my41. 

To see that u is even, note that a — c is the difference of odd numbers and that b — d is the 
difference of even numbers. Thus, @ — c and b —d are even, and u must be as well. That 
(r, s) = 1 follows wivially from Theorem 2.1 (i). To continue, a” + b* = c” + d? implies 
that (a + c)(a — c) = (d — b)(d + b). Dividing both sides of this equation by u, we find that 
r(a+c)=s(d+ b). From this, it is clear that s | r(a + c). But because (7, s) =1,s|a+c. 


To factor n, observe that [($)? + (3)7)(r? +s?) = (1/4) (r2u? + r?v? + 52u? + s?v). Substituting 
a—c,d—b,a+c,andd +b for ru, su, sv, and rv, respectively, will allow everything to be 
simplified down to n. As u and v are both even, both of the factors are integers. 


We have 24"+2 + 1 = 4(2")4 + 1 = (2-27 4.2.2" 4 1)(2-27" — 2-2" + 1). Using this identity, 
we have the factorization 2!8 + 1 = 4(24)4 + 1= (2-28 42-244 1)(2-28-2-244+ 1) = 
(29 + 29 + 1)(29 — 2° + 1) = 545-481. 


We can prove that the last digit in the decimal expansion of F,, is 7 for n > 2 by proving that the 
last digit in the decimal expansion of 22” is 6 for n > 2. This can be done using mathematical 
induction. We have 2? — 16, so the result is true for = 2. Now assume that the last decimal digit 
of 22” is 6, that is, 22" = 6 (mod 10). It follows that 22" = (22")2"""-2” = 62"*'-2” = 6 (mod 10). 
This completes the proof. 


Because every prime factor of F's = 2° + 1= 4,294, 967,297 is of the form 27k + 1= 128k + 1, 
attempt to factor Fs; by trial division by primes of this form. We find that 128- 1+ 1= 129 

is not prime, 128 - 2 + 1 = 257 is prime but does not divide 4,294,967,297, 128-3 + 1= 385 
is not prime, 128-4 + 1= 513 is not prime, and 128-5 + 1= 641 is prime and does divide 
4,294,967,297 with 4,294,967,297 = 641 - 6,700,417. Any factor of 6,700,417 is also a factor of 
4,294,967,297. We attempt to factor 6,700,417 by trial division by primes of the form 128k + 1 
beginning with 641. We first note that 641 does not divide 6,700,417. Among the other integers of 
the form 128k + 1 less than ./6,700,417, namely the integers 769, 897, 1025, 1153, 1281, 1409, 
1537, 1665, 1793, 1921, 2049, 2177, 2305, 2433, and 2561, only 769, 1153, and 1409 are prime, 
and none of them divide 6,700,417. Hence, 6,700,417 is prime and the prime factorization of F5 
is 641 - 6,700,417. 
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21. 2”/ log, 10+ 1 
23. See Exercise 23 in Section 3.2. 
Section 3.7 
1. a x=33-S5,y=—-114+2t b.x=-—300+4 13t, y=400-—17t ec. x=21-2t, y= 


wen om & 


—21+3t d.nosolutions e.x = 889 — 1969t, y = —633+4+ 1402r 


. 63 US$, 41 Can$ 

. 53 Euros, 35 Pounds 

. 17 apples, 23 oranges 

. a. (1, 16), (4, 14), (7, 12), ..., (22, 2), (25,0) —_b. no solutions 


c. 18 solutions: (0, 37), (3, 35),..., (54, D 


11. a. x = —54 3s —2t, y=S—2s,z=t Db. no soluwons ec. x =-—-14+1025+1t, y= 
1— 101s — 2t,z=t 

13. Let x, y, and z be the number of pennies, dimes, and quarters, respectively. When z = 0, we have 
x=9, y=9;x=19, y= 83x = 29, y=7;x = 39, y= 63x = 49, y=53 x =S59, y=45x= 
69, y= 33x =79, y=2;x = 89, y= 1; x =99, y = 0. When z = 1, we have x = 4, y=7;x= 
14, y=6;x = 24, y=53x = 34, y=45x=44, y=33x4 = 54, y=2;x = 64, y= 15x =74, y= 
0. When z = 2, we have x = 9, y=43;x=19, y=3;x =29, y=2;x =39, y= 15x =49, y=0. 
When z = 3, we have x = 4, y=2;x=14, y= 13x = 24, y=0. 

15. a. x =924 6t, y=8-—7t,z=t b.no solution ec x=50-—t, y=—100+31, z= 
150 — 3t,w=t 

17. 9, 19, 41 

19. The quadrilateral with vertices (b, 0), (0, a),  — 1, —1), and (—1, a — 1) has areaa + b. Pick’s 
Theorem, from elementary geometry, states that the area of a simple polygon whose vertices are 
lattice points (points with integer coordinates) is given by 3x + y — 1, where x is the number of 
lattice points on the boundary and y is the number of lattice points inside the polygon. Because 
(a, b) = 1, x = 4, and therefore, by Pick’s Theorem, the quadrilateral contains a + b — 1 lattice 
points. Every point corresponds to a different value of n in the range ab —-a —b<n<ab. 
Therefore, every n in the range must get hit, so the equation is solvable. 

21. See the solution to Exercise 19. The line ax + by = ab — a — b bisects the rectangle with vertices 
(—1, a— 1), (-1, —)), (b — 1, a — 1), and (b — 1, —1) but contains no lattice points. Hence, 
half the interior points are below the line and half are above. The half below correspond to 
n < ab — a — band there are (a — 1)(b — 1)/2 of them. 

23. (0, 25, 75); (4, 18, 78); (8, 11, 81); (12, 4, 84) 

Section 4.1 
l.a.2/(03-—D=12 b5/|(22-—7=15 c13|91—0)=91 d.7|(69-—62)=7 e. 


3|(-2-D=-3 f.11|(—3-—30)=—33  g.40| (111— (—9))=120 h.37| (666 —0)= 
666 


3. a.1,2,11,22 b.1, 3,9, 27, 37, 111, 333,999 e.1, 11, 121, 1331 
5. Suppose that a is odd. Then a = 2k + 1 for some integer k. Then a? = (2k + 1)* = 4k? + 4k +1= 


7. 


4k«k + 1) 4+ 1. If k is even, then k = 2] where / is an integer. Then a= 81(21 + 1) + 1. Hence, 
a? = 1(mod 8). Ifk is odd, then k = 2] + 1 when! is aninteger. Then a? = 4(2] + 1)(2/ ++ 2) +1= 
8(21 + 1)(1 + 1) + 1. Hence, a? = 1 (mod 8). It follows that a = 1 (mod 8) whenever a is odd. 


a1l5 b8 «25 d.27 +e8 £f.27 
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29. 
31. 


33. 
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/ al bS «9 di13 
11. 


By the Division Algorithm, there exist integers qj, q2, 7), 72 such that a= q,m +r, and 
b=qam +7, with O <r), r2 < m. Then a mod m = r, and b mod m = rp. Suppose that r; = 79; 
then a — b=m(qj — q2) + (11 — 72) = m(q, — Q\). Then m|a — b, and so a = b (mod m). 


. Because a = b (mod m), there exists an integer k such thata = b+ km. Thus, ac = (b+ km)c = 


bc + k(mc). By Theorem 4.1, ac = bc (mod mc). 


a. We proceed by induction on n. It is clearly true for n = 1. For the inductive step, we 
assume that ey aj= vin , 5; (mod m) and that a,,; = b,4; (mod m). Now i aj= 
Ose aj) +4n41= Osea bj) A baa = ee ; (mod m) by Theorem 4.6(i). This completes 
the proof. b. We use induction on n. For n = 1, the identity oe holds. This completes the 
basis step. For the inductive step, we assume that Tj- 1 ge = ITj- , 5; (mod m) and ay 4) = bn+1 


(mod m). Then Wi) aj = OnsiT Tj 14) = bai Tlj= _1 5) AN bee b; (mod m) by Theorem 
4.6(iii). This completes the proof. 


Let m = 6, a = 4, and b = S. Then 4 mod 6 = 4 and 5 mod 6 = 5, but 4-5mod6=2 £4-5. 
By the Division Algorithm, there exist integers q), q2, 7), 72 such that a = qym +r; and 
b=qom + ro, with 0 <7), rz < m. Then ab = r,rz (mod m) by Theorem 4.6(iii). By definition, 
a mod m =r, and b mod m = rp, so ((a mod m)(b mod m) mod m = (rjr2) mod m = ab mod m, 
by Exercise 10. 


— 0123 4 ~°5 
0 05432 «1 
1 105 4 3 2 
2 210 5 4 3 
3 32105 4 
4 43 210 5 
a) § 43210 
a.4o’clock b.60’clock c¢.40’clock 
a = +b (mod p) 
Note that] +2+3+---+(1+1)=( — Dn/2. Ifn is odd, then (n — 1) is even, so (n — 1)n/2 


is aninteger. Hence, n | (1+2+3+---+(m— 1))ifnisodd,and1+2+3+---+(—-—1=0 
(mod n). If n is even, then n = 2k where k is an integer. Then (n — 1)n/2 = (n — 1)k. We can 
easily see that n does not divide (n — 1)k, because (n, n — 1) = 1 and k <n. It follows that 
14+2+---+(m — 1) is not congruent to 0 modulo n if 7 is even. 


those n relatively prime to 6 


Ifn = 1, then 5 = 5! = 1+ 4(1) (mod 16), so the basis step holds. For the inductive step, we assume 
that 5” = 1+ 4n (mod 16). Now 5"+! = 5"5 = (1+ 4n)5 (mod 16) by Theorem 4.4(iii). Further, 
(1+ 4n)5=5+ 20n =5-+ 4n (mod 16). Finally, 5+ 4n = 1+ 4(n + 1).So5"*!=14+ 474+ 1) 
(mod 16). 


Note that if x = 0 (mod 4) then x? = 0 (mod 4), if x = 1 (mod 4) then x” = 1 (mod 4), if x =2 
(mod 4) then x? = 4 = 0 (mod 4), and if x = 3 (mod 4) then x” = 9 = 1 (mod 4). Hence, x” =0 
or 1 (mod 4) whenever x is an integer. It follows that x? + y? =0, 1 or 2 (mod 4) whenever x and 
y are integers. We see that 7 is not the sum of two squares when n = 3 (mod 4). 


By Theorem 4.1, for some integer a, ap* = x? — x = x(x — 1). By the fundamental theorem of 


arithmetic, p* is a factor of x(x — 1). Because p cannot divide both x and x — 1, we know that 
p* |x or p* |x — 1. Thus, x =Oorx= 1 (mod p*). 


37. 


39. 


41. 
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47. 
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First note that there are m, possibilities for a,, mz possibilities for a2, and in general m; 
possibilities for a;. Thus, there are m mp - - -m, expressions of the form M,a, + Mya, +---My,a, 
where aj, a2, ..., a, run through complete systems of residues modulo m,, m2, ..., mx; 
respectively. Because this is exactly the size of a complete system of residues modulo M, 
the result will follow if we can show distinctness of each of these expressions modulo M. Suppose 
that Mja, + Mya. +---+ Mya, = Mya, + Mpa), +---+ M,a, (mod M). Then M,a; = Mya} 
(mod m,), because m, divides each of Mp, M3, ..., M;,, and, further, a, = ay (mod m), because 
(M,, mj) = 1. Similarly, a; = a; (mod m;). Thus, a; is in the same congruence class modulo m; 
as a; for all i. The result now follows. 


a. Let ./n =a + r, where ais an integer and0 < r < 1. We now consider two cases, when 0 <r < 3 
and when 3 <r <1. For the first case, T = [,/n + 3] =a, and so t = T* —n = —(2ar +r”). 
Thus, |t| = 2ar +r? < 2a(3) + (4)? =a+ i. Because both T and n are integers, ¢ is also an 
integer. It follows that |t| < [a+ i] =a=T=. For the second case, when 3 <r <1, we find that 
T =[/n+ $]=a+ landt =2a(1—r) + (1—-r?). Because 3 <r <1,0<(1—r) <4 and 
0<1-—r? <1. It follows that t < 2a(4) + (1—r?). Because ¢ is an integer, we can say that 
|t]}<[a+(Q-—r?)]=a<T. b. By the division algorithm, we see that if we divide x by T, 
we get x =aT +), where 0 <b < T. If a were negative, then x = aT +b<(-)T+)<(O; 
but we assumed x to be nonnegative. This shows that 0 < a. Suppose now that a > T. Then x = 
aT +b>(T+)T=T*24+T>(fn- 3)? + (fn - 3) =n i and, as x and n are integers, 
x >n. This is a contradiction, which shows that a < T. Similarly, O<c<Tand0<d<T. ec. 
xy = (aT + b)(cT +d) =acT? + (ad + be)T + bd =ac(t +n) +2zT + bd =act + 2zT +bd 
(modn)._ d. Use part (c), substituting eT + f forac. e. The first half is identical to part 
(b); the second half follows by substituting gT +h for z + et in part (c) and noting that T? =t 
(modn). f. Certainly, ft and gt can be computed because all three numbers are less than T, 
which is less than ./n + 1. So (f + g)t is less than 2n < w. Similarly, we can compute j + bd 
without exceeding the word size. And, finally, using the same arguments, we can compute hT + k 
without exceeding the word size. 


a.l bl ec.1 d.1_ e. Fermat’s little theorem (Section 6.1) 


Because f, »+ f,-1= Jf, (mod m), if two consecutive numbers recur in the same order, then the 
sequence must be repeating both as n increases and as it decreases. But there are only m residues, 
and so m” ordered sequence of two residues. As the sequence is infinite, some two elements of 
the sequence must recur by the pigeonhole principle. Thus, the sequence of least positive residues 
of the Fibonacci numbers repeats. It follows that if m divides some Fibonacci number, that is, if 

1 = 0 (mod m), then m divides infinitely many Fibonacci numbers. To see that m does divide 
some Fibonacci number, note that the sequence must contain a 0, namely, fp = 0 (mod m). 


Let a and b be positive integers less than m. Then they have O(log m) digits (bits). Therefore by 
Theorem 2.4, we can multiply them using O(log” m) operations. Division by m takes O (log? m) 
operations by Theorem 2.7. Therefore, in all we have O(log” m) operations. 


Let N; be the number of coconuts the ith man leaves for the next man and let No = N. 
At each stage, the ith man finds N;_; coconuts, gives k coconuts to the monkeys, takes 
(1/n)(N;_1; — k) coconuts for himself, and leaves the rest for the next man. This yields 

the recursive formula N; = (N;_; — k)(n — 1)/n. For convenience, let w = (n — 1)/n. If 
we iterate this formula a few times, we get N; = (No —k)w, No = (N, — k)w = (No — 
k)w —k)w = Now? — kw? — kw, N3 = Now? — kw? — kw? — kw, .... The general pattern 
N; = Now! — kw! — kw'-! —.--—kw = Now! — kw(w! — 1)/(w — 1) may be proved by 
induction. When the men rise in the moming, they find N, = Now” — kw(w” — 1)/(w — 1) 
coconuts, and we must have N,, =k (mod n), thatis, VN, = Now” —kw(w” — 1)/(w-)=k-+tn 
for some integer ¢. Substituting w = (n — 1)/n back in for w, solving for No, and simplifying 
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yields N = No =n"*\t +k)/(n — 1)" — kn +k. For N to be an integer, because (n, n — 1) = 1, 
we must have (t + k)/(n — 1)” an integer. Because we seek the smallest positive value for NV, we 
take t +k =(n — 1)", sot = (n — 1)” —k. Substituting this value back into the formula for N 
yields N =n"t!— kn +k. 

a. Let fi(x) = or 9 aix', folx) = yh, bix', a(x) = DL, ix! and go(x) = >", d;x', where 
the leading coefficients may be zero to keep the limits of summation the same for all polynomials. 
Then a; = c; (mod n) and b; = d; (mod n), fori = 0, 1, ..., m. Therefore by Theorem 4.6 part 
(i), a; + b; =c; +d; (modn) for i =0, 1, ..., m. Because (f+ fo)(x) = 77" (a; + b;)x' 
and (g; + g2)(x) = ye lG + d;)x', this shows the sums of the polynomials are congruent 
modulo n. _b. With the same set up as in part (a), the coefficient on x* in ( Si f2)(x) is given 
by agb, + a;b,_1 + +--+ a,bp, and the corresponding coefficient in (g,g2)(x) is given by 
cod, + cydy_1 +--+ + ,dp. Because each a; = c; (mod n) and b; = d; (mod n), by Theorem 4.6 
the two expressions are congruent modulo n, and so, therefore, are the polynomials. 

The basis step for induction on k is Exercise 42. Assume that f(x) = h(x) (mod p) and 
f(x) = (x — a) -- + (& — ay_))h(x), where h(x) is a polynomial with integer coefficients. 
Substituting a, for x in this congruence gives us 0 = (a; — aj) - - - (a, — a;)h(a;,) (mod p). None 
of the factors a, — a; can be congruent to zero modulo p, so we must have h(a;,) = 0 (mod p). 
Applying Exercise 50 to h(x) and a; gives us h(x) = (x — a,)g(x) (mod p), and substituting this 
in the congruence for f(x) yields f(x) = (x — a,) --- (x — ag)g(x) (mod p), which completes 
the induction step. 


Section 4.2 


15. 


-ax=6(mod7) bx=2,5o0r8(mod9) ex=10(m0d40)~= d.x = 20 (mod 25) 


e. x = 111 (mod 999) f. x = 75+ 80k (mod 1600) where k is an integer 


. x = 1074+ 3157k (mod 28927591) 

. 19 hours 

. 77 solutions when c is a multiple of 77 

.a13 b7 e«5 d.16 

. a. 1, 7, 11, 13, 17, 19, 23,29  b. Note that 1, 11, 19 and 29 are their own inverses; 7 and 13 are 


inverses of each other, as are 23 and 17. 


. If ax + by =c (mod m), then there exists an integer k such that ax + by — mk =c. Because 


d|ax + by — mk, d|c. Thus, there are no solutions when d { c. Now assume that d | c and 
let a = da’, b = db’, c= dc’, and m = dm’, so that (a’, b’, m’) = 1. Then we can divide the 
original congruence by d to get (*) a’x + b'y =c’ (mod m’), or a'x = c! — b’y (mod m’), which 
has solutions if and only if g = (a’, m’) | c — b’y, which is equivalent to b’y = c’ (mod g) 
having solutions. Because (a’, b’, m’) = 1, and (a’, m’) = g, we must have (b’, g) = 1, and 
so the last congruence has only one incongruent solution yy modulo g. But the m’/g solutions 
yo. ot 8: Yot 28, ---» Yo + (m'/g — 1)g are incongruent modulo m’. Each of these yields g 
incongruent values of x in the congruence (*). Therefore, there are g(m’/g) = m’ incongruent 
solutions to (*). 

Now let (x1, y,) be one solution of the original congruence. Then the d values x;, x; + 
m’,X,+2m',...,x,+(d — 1)m’ are congruent modulo m’ but incongruent modulo m. Likewise, 
the d values y;, y; +m’, yj + 2m’, ..., y; + (d — 1)m’ are congruent modulo m’ but incongruent 
modulo m. So for each solution of (*), we can generate d” solutions of the original congruence. 
Because there are m’ solutions to (*), we have dm’ = dm solutions to the original congruence. 


Suppose that x? = 1(mod p*), where p is an odd prime and k is a positive integer. Then 
x? —1=(x+4+ 1)(x — 1) =0 (mod p*). Hence, p* | (x + 1)(x — 1). Because (x + 1) — (x — 1) =2 
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and p is an odd prime, we know that p divides at most one of (x — 1) and (x + 1). It follows that 
either p* | (x + 1) or p* | (x — 1), so that p = £1 (mod p*). 


To find the inverse of a modulo m, we must solve the Diophantine equation ax + my = 1, which 
can be done using the Euclidean algorithm. Using Corollary 2.5.1, we can find the greatest 
common divisor in O (log? m) bit operations. The back substitution to find x and y will take 
no more than O(log m) multiplications, each taking O(log” m) operations. Therefore, the total 
number of operations is O (log? m) + O(log m)O (log? m)= O (log? m). 


Section 4.3 
1. x = 1 (mod 6) 
3. 32 + 60m 
5. x = 1523 (mod 2310) 
7. 204 
9. 1023 
11. x = 2101 (mod 2310) 
13. We can construct a sequence of k consecutive integers each divisible by a square as follows. Con- 
sider the system of congruences x = 0 (mod P}), x = —1 (mod ps), x = —2 (mod P), ene 
—k + 1(mod ae where p,; is the kth prime. By the Chinese remainder theorem, there is a 
solution to this simultaneous system of congruence because the moduli are relatively prime. It 
follows that there is a positive integer N that satisfies each of these congruences. Each of the k 
integers N, N+ 1,..., N +k — 1 is divisible by a square because Ps divides N + j — 1 for 
JHE Zea gk 
15. Suppose that x is a solution to the system of congruences. Then x =a, (mod m)), so 
that x =a, -+km, for some integer k. We substitute this into the second congruence to 
get a, + km, =a) (modmy) or km, = (a) — a;) (modmy), which has a solution in k 
if and only if (m,, m2) | (a) — a,). Now assume such a solution kg exists. Then all in- 
congruent solutions are given by k=kg+myt/(m,, m2), where t is an integer. Then 
t 
x=a,;t+km,=a,+ (kot et m,=a,+kom,+ 72 + Note that 
(m, m2) (m, m2 
mmy/(m,, mz) = [m,, mo], so that if we set x; = a, + kgm, we have x = x, + [m,, my]t = x, 
(mod [7m , m ]), and so the solution is unique modulo [7m,, mz]. 
17. a.x =4304+2100j b.x =9102+ 10010; 
19. First, suppose the system has a solution. Then for any distinct i and j, there is a solution 


to the two-congruence system x = a; (mod m;), x =a; (mod m ;). By Exercise 15, we must 
have (m;, mj) | (a; — a;). For the converse, we proceed by mathematical induction on the 
number of congruences r. For r = 2, Exercise 15 shows that the system has a solution. 
This is the basis step. Now suppose the proposition is true for systems of r congruences 
and consider a system of r + 1 congruences. Let M = [m, m2, ...,m,]. By the induction 
hypothesis, the system of the the first r congruences has a unique solution A (mod M). 
Consider the system of two congruences x = A (mod M), x =a,,, (mod m,,,). A solution 
to this system will be a solution to the system of r + 1 congruences. Note that fori =1...r, 
we have (m;, m,41) | mM, | @; — 4,41, and likewise (m;, m,,) | mj; | (a; — A), because we 
must have A = a; (mod m;). Therefore, A = a, (mod (m;, m,4)), which is equivalent to 
A =a,,, (mod [(m, m,+ 1), (m2, m,+1),..., (m,, m,+;)]). Check that this last modulus is 
equal to (M, m,,,). Then we have (M, m,,,) | (A — 4,4). Therefore, by the induction 
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hypothesis, the system x = A (mod M), x =a,4, (mod m,,,) has a unique solution modulo 
[M, m,+4,]=[m, mg, ..., m,4+4], and this is a solution to the system of r + 1 congruences. 


2101 
73,800 pounds 
0000, 0001, 0625, 9376 


We need to solve the system x = 23 + 2 (mod 4 - 23), x =28+ 1 (mod 4- 28), x = 33 (mod 4- 
33), where we have added 2 and 1 to make the system solvable under the conditions of Exercise 
19. The solution to this system is x = 4257 (mod 85008). 


every 85,008 quarter-days, starting at 0 


We examine each congruence class modulo 24. If x is congruent to an odd number modulo 24, 
then x = 1 (mod 2), so all the odd congruence classes are covered. Note that the congruence 
classes of 2, 6, 10, 14, 18, 22 are all congruent to 2 (mod 4). This leaves only 0, 4, 8, 12, 16, 20. 
0 =0 (mod 24), 4= 12 =20=4 (mod 8), 8 = 8 (mod 12), and 16 = 1 (mod 3), so all congruence 
classes modulo 24 are covered. 


If the set of distinct congruences covers the integers modulo the least common multiple of the 
moduli, then that set will cover all integers. Examine the integers modulo 210, the 1.c.m. of the 
moduli in this set of congruences. The first four congruences take care of all numbers containing 
a prime divisor of 2, 3, 5, or 7. The remaining numbers can be examined one at a time, and each 
can be seen to satisfy one (or more) of the congruences. 


most likely 318 inches 


x = 225a, + 1000a, + 576a3 + 1800k, where k is an integer and a, is 3 or 7, ay is 2 or 7, and a3 
is 14 or 18 


Section 4.4 
1. a.lor2(mod7)  b.8 or 37 (mod 39) _ ce. 106 or 233 (mod 343) 
3. 785 or 1615 (mod 2401) 
5. 184, 373, 562, 751, 940, 1129, and 1318 (mod () 1323) 
7. 3404 or 279 (mod 4375) 
9. two 
11. Because (a, p) = 1, we know that a has an inverse b modulo p. Let f(x) = ax — 1. Then 


x = b (mod p) is the unique solution to f(x) = 0 (mod p). Because f’(x) =a # 0 (mod p), we 
know that r = b lifts uniquely to solutions modulo p* for all natural numbers k. By Corollary 
4.14.1, we have that rz = rg_1 — f (4-1) f(b) = re_1 — (are_1 — D@ = rR_1 — (ap_1 — DO = 
r,_1(1 — ab) + b. This gives a recursive formula for lifting b to a solution modulo p* for any k. 


13. There are 1, 3, 3, 9, and 18 solutions for n = 1, 2, 3, 4, and S, respectively. 
Section 4.5 
1. a. x =2 (mod 5) and y=2(mod5) b.nosolutions c¢.x =3(mod5), y=0 (mod 5); x =4 


3. 
5. 


(mod 5), y = 1 (mod 5); x =0 (mod 5), y =2 (mod 5); x = 1(mod 5), y =3 (mod 5); and x =2 
(mod 5), y = 4 (mod 5). 

0, 1, p, or p” 

The basis step, where k = 1, is clear by assumption. For the inductive hypothesis, assume that 
A =B (mod m) and AF = Bé (mod m). Then, A - Ak = A - BE (mod m) by Theorem 4.16. Further, 
Atl. A.A‘ =A-BK =B. BE = BH! (mod m). 
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7. false; take m = 8 andA = (; .) 
643) (206, (3554 
9.a[ 4 3 4 b{2 1 4 Cc. 
3 4 4 3 4 0 2 2 2 
4555 

ll.aS bS «5 dl 

13. In Gaussian elimination, the chief operation is to subtract a multiple of one equation or row from 
another, in order to put a 0 in a desirable place. Given that an entry a must be changed to 0 by 
subtracting a multiple of b, we proceed as follows: Let b be the inverse for b (mod k). Then 
a — (ab)b = 0, and elimination proceeds as for real numbers. If b doesn’t exist, and one cannot 
swap rows to get an invertible b, then the system is underdetermined. 

15. Consider summing the ith row. Let k = xn + y, where 0 < y <n. Then x and y must satisfy the 
Diophantine equation i = a+ cy + ex (mod n), if k is in the ith row. Then x — ct and y + et 
is also a solution for any integer t. By Exercise 14, there must be 7 positive solutions that yield 
n numbers k between 0 and n2. Let s,s +1,...,5-+n—1be the values for ¢ that give these 
solutions. Then the sum of the ith row is eax —ce(st+r)+yt+est+r))=ntn4+ I), 
which is independent of i. 

Section 4.6 

1.a.7-19 b.29-41 ©¢.41-47 .47-173 e@.131-277 f.29- 1663 

3. Numbers generated by linear functions where a > 1 will not be random in the sense that 
Xs — Xs =AX75_1 +b — (axs_, + b) = a(xp5_1 — X,_1) is a multiple of a for all s. If a=1, 
then x9, — x; =Xq + sb. In this case, if x9 4 0, then we will not notice if a factor of b that is not 
a factor of x9 is a divisor of n. 

Section 5.1 

1. a.256=28 b16=2* ©1024=2!9 d.2=2! 

3. a. by3 but not by9 b.byboth3 and9 c.byboth3and9 = d. by neither 3 nor9 

5.a.2'=2 b29=1 ¢2°=64 d.2°=1 

7.a.no bno cyes_ d.yes 

9. a. by neither3 norS b.byboth3 and5 c.byneither3 nor5  d.by5 but not by 3 

11. if and only if the number of digits is a multiple of 3 (respectively, 9) 

13. if and only if the number of digits is a multiple of 6 in each case 

15. if and only if the number of digits is a multiple of d, where d | b — 1 

17. A palindromic integer with 2k digits has the form (a,az_ 1... ajaa2 . . . ag). Using the test for 
divisibility by 11 developed in this section, we find that a, — ay_, +--- taj Fajta,7F---—- 
a, = 0, and so (azay_1.. . €ja4a7 . . . Ax) 19 is divisible by 11. 

19. An integer a,ay_j . . . ad is divisible by 37 if and only if agajay + a3a4a5 + dga7zag + --- is; 
37 { 443692; 37 | 11092785 

21. ano b.by5 butnotby2 c.byneitherSnor13_ d. yes 

23. 6 

25. a.nosolutions b.0,3,6,or9 c.anydigitisasolution d.9 e.9 _ f.no solutions 


27. 


no 


670 


29. 


31. 


33. 


Answers to Odd-Numbered Exercises 


First note that n = a,10* + a,_,10*-! + ---+.a,10+ ao, so that (n — ag)/10 = (a, 10 + 
a,_,10*-! + .-- +.4,10)/10 = a, 10%! + --- +. a,. Now suppose d | n. Then n = a,10* + 
ag_10*-! + -.- + a, 10 + ag = 10(az10*-! + - - - + ay) + ag = 0 (mod d). Multiplying both 
sides by e, which is an inverse for 10 modulo d, gives us (a,10*-! +-+-+a,) + eap =0 
(mod d). Which is n! = (n — ag)/10 + eap = 0 (mod d). These steps are reversible, so we have 
that d | n if and only if d | n’. 

To show the technique will work, we need to show that n,n’, (n’)’, ... is a decreasing 
sequence until we get a term that is not much bigger than d. Suppose that n > 10d. Then, because 
ao < 9, we have 9n > 10aod. Because e is a least positive residue modulo d, we have e < d, so, in 
particular, 10e — 1 < 10d. Using this in the above inequality gives us 9n > ag(10e — 1). Adding 
n to both sides gives us 10n > n — ap + 10eap, orn > (n — ap)/10 + eag =n’. This shows that 
the sequence generated will be decreasing at least until some term is less than 10d, which we may 
examine by hand. 


a. Multiply the last digit by 4 and add this result to the number formed by deleting the last digit of 
the integer and repeat. _b. Multiply the last digit by 2 and add this result to the number formed 
by deleting the last digit of the integer and repeat. _c. Multiply the last digit by 2 and subtract this 
result from the number formed by deleting the last digit of the integer and repeat. d. Multiply 
the last digit by 8 and subtract this result from the number formed by deleting the last digit of the 
integer and repeat. 


a. 13 1 798; 19 | 798; 21| 798; 277798 b. 13 | 2340; 19 ¥ 2340; 21 J 2340; 27 4 2340. 
13 ¥ 34257; 19 | 34257; 21 ¥ 34257; 27 34257. = d. 13 J 348327; 19 | 348327; 21 | 348327; 
27 | 348327. 


Section 5.2 


13. 


15. 


1. Happy Birthday! 
3. twice 

5. 
7 
9 


W =k + [2.6m — 0.2]—2C + Y + [Y/4]+ [C/4] — [C/40] (mod 7). 


. answer is person dependent 
. 2500 
11. 


If the 13th falls on the same day of the week on two consecutive months, then the number of days 
in the first month must be congruent to 0 modulo 7, and the only such month is February during 
non-leap year. If February 13th is a Friday, then January 1st is a Thursday. 


In the perpetual calendar formula, we let W = 5 andk = 13 to get 5 = 13 + [2.6m — 0.2] — 2C + 
Y + [Y/4]+ [C/4] (mod 7). Then [2.6m — 0.2] =6+2C — Y — [Y/4] — [C/4] (mod 7). We 
note that as the month varies from March to December, the expression [2.6m — 0.2] takes on 
every residue class modulo 7. So regardless of the year, there is always an m which makes the left 
side of the last congruence congruent to the right side. 


The months with 31 days are March, May, July, August, October, December, and January, which 
is considered in the previous year. The corresponding numbers for these months are 1, 3, 5, 6, 
8, 10, and 12. Given Y and C, we let k = 31 in the perpetual calendar formula and get W = 
31+ [2.6m — 0.2]— 2C + Y + [Y/4]+ [C/4] =3 + [2.6m — 0.2] - 2C + Y + [Y/4]+ [C/4] 
(mod 7). To see which days of the week the 31st will fall on, we let m take on the values 1, 3, 5, 
6, 8, 10 and reduce. Finally, we decrease the year by 1 (which may require decreasing the century 
by 1) and let m take on the value 12 and reduce modulo 7. The collection of values of W tells us 
the days of the week on which the 31st will fall. 
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Section 5.3 


1. a. Teams i and j are paired in round k if and only if i + j =k (mod 7) with team i drawing a bye 
if 2i =k (mod 7). Round 1: 1-7, 2-6, 3-5, 4-bye; round 2: 2-7, 3-6, 4-5, 1—bye; round 3: 1-2, 
3-7, 4-6, 5—bye; round 4: 1-3, 4-7, 5-6, 2—bye; round 5: 1-4, 2-3, 5—7, 6-bye; round 6: 1-5, 2— 
4, 6-7, 3-bye; round 7: 1-6, 2-5, 3-4, 7-bye. b. Teams i and j are paired in round k if and 
only ifi + j =k (mod 7), i, j 48; teami plays team 8 if 2i=k (mod7).  c. Teams i and j are 
paired in round k if and only if i + j =k (mod 9), with team i drawing a bye if 2i = k (mod 9). 
d. Teams i and j are paired in round k if and only if i + 7 =k (mod 9), i, j 4 10; team i plays 
team 10 if 2i = k (mod 9). 


3. a. home teams in round 1: 4 and 5; round 2: 2 and 3; round 3: 1 and 5; round 4: 3 and 4; round 35: 
land2_ b. home teams in round 1: 5, 6, and 7; round 2: 2, 3, and 4; round 3: 1, 6, and 7; round 
4: 3, 4, and 5; round 5: 1, 2, and 7; round 6: 4, 5, and 6; round 7:1, 2,and3 ~—c. home teams in 
round 1: 6, 7, 8, and 9; round 2: 2, 3, 4, and 5; round 3: 1, 7, 8, and 9; round 4: 3, 4, 5, and 6; 
round 5: 1, 2, 8, and 9; round 6: 4, 5, 6, and 7; round 7: 1, 2, 3, and 9; round 8: 5, 6, 7, and 8; 
round 9: 1, 2, 3, and 4 


Section 5.4 


1. Let k be the six-digit number on the license plate of acar. We can assign this car the space numbered 
h(k) =k (mod 101), where the spaces are numbered 0, 1, 2, ... , 100. When a car is assigned the 
same space as another car we can assign it to the space h(k) + g(k) where g(k) =k + 1 (mod 99) 
and 0 < g(k) < 98. When this space is occupied, we next try h(k) + 2g(k), then h(k) + 3g(k), 
and so on. All spaces are examined because (g(k), 101) = 1. 


3. a. It is clear that m memory locations will be probed as j = 0, 1, 2,..., m— 1. To see that 
they are all distinct, and hence every memory location is probed, assume that h;(K) =h j(K) 
(mod m). Then h(K) + iq =h(K) + jq (mod m). From this it follows that iq = jq (mod m), 
and as (q, m) = 1,i = j (mod m) by Corollary 4.5.1. And so i = j because i and j are both less 
thanm. _b. It is clear that m memory locations will be probed as j = 0, 1, 2,..., m — 1. To see 
that they are all distinct, and hence every memory location is probed, assume that h;(K) = h ;(K) 
(mod m). Then h(K) + ig =h(K) + jq (mod m). From this it follows that iq = jq (mod m), 
and as (q, m) = 1,i = j (mod ™m) by Corollary 4.5.1. And soi = j because i and j are both less 
than m. 


5. 558, 1002, 2174, 4035 


Section 5.5 

1l.a0 bO c1 dloe0O f.1 
3.a.0 b1 c.0 

5.a.7 bl 4 


7. Transposition means that adjacent digits are in the wrong order. Suppose, first, that the first 
two digits, x, and x2, or equivalently, the fourth and fifth digits, are exchanged, and the error 
is not detected. Then x7 = 7x, + 3x2 + x3 + 7x4 + 3x5 + X6 = 7x2 + 3x, +23 + 7x4 + 3x5 + Xp 
(mod 10). It follows that 7x, + 3x2 = 7x2 + 3x, (mod 10) or 4x; = 4x, (mod 10). By Corollary 
4.5.1, we see that x; = x2 (mod 5). This is equivalent to | x, — x2 |= 5, as x, and x2 are single 
digits. Similarly, if the second and third (or fifth and sixth) digits are transposed, we find that 
2x2 = 2x3 (mod 10), which again reduces to x2 = x3 (mod 5) by Corollary 4.5.1. Also, if the third 
and fourth digits are transposed, we find that 6x3 = 6x4 (mod 10) and x3 = x4 (mod 5), similarly 
as before. The reverse argument will complete the proof. 


672 


23. 
25. 


27. 
29. 


31. 
33. 


Answers to Odd-Numbered Exercises 


.a0 b3 «4 dX 

. a.valid b.not valid c.valid d.valid  e.not valid 

. 0-07-289905-0 

. ano beyes c.yes d.no 

. Itcan. 

. a.valid b.not valid c.valid d.not valid e. valid 

. Letc; =1 if i is odd and c; = 3 if i is even, for i = 1, 2, ... 13. Then ee c;a; = 0 (mod 10). 


Suppose that one digit, say, a,, of an ISBN-13 code is misread as b 4 a;. To get a contradiction, 
suppose that when the above congruence is changed by replacing a; by b the sum is still congruent 
to 0 modulo 10. If we subtract these two congruences, we get c,(a,; — b) = 0 (mod 10). Because 
both 1 and 3 are relatively prime to 10, we can multiply both sides by c, | which gives us 
a, — b=0 (mod 10). But because a; and b are both integers between 0 and 9, we must have 
a, = b, contradicting the assumption that b # a,. Therefore, any single error is detected by the 
code. 


a.yes b.no 


a.94__ b. If x; is misentered as y,, then if the congruence defining x1, holds, we see that ax; = ay; 
(mod 11) by setting the two definitions of x; congruent. From this, it follows by Corollary 
4.5.1 that x; = y; (mod 11) and so x; = y;. If the last digit, x,;, is misentered as y,,, then the 
congruence defining x1; will hold if and only if x,; = y,;.__ c. Suppose that x; is misentered as 
y; and x; is misentered as y,;, with i < j < 10. Suppose both of the congruences defining x19 
and x,, hold. Then by setting the two versions of each congruence congruent to each other, we 
obtain ax; + bx; =ay; + by; (mod 11) and cx; + dx ; =cy; + dy; (mod 11) where a # b. If itis 
the case that ad — bc 4 0 (mod 11), then the coefficient matrix is invertible and we can multiply 
both sides of this system of congruences by the inverse to obtain x; = y; and x; = y;. Indeed, 
after (tediously) checking each possible choice of a, b, c, and d, we find that all the matrices are 
invertible modulo 11. 


al bl 66 


Errors involving a difference of 7 cannot be detected: 0 for 7, 1 for 8, 2 for 9, or vice versa. All 
others can be detected. 


al bX o¢2 4.8 

Yes. Assume not and compare the expressions modulo 11 to get a congruence of the form 
ad; + bd; =ad, + bd; (mod 11), which reduces to (a — b)d; = (a — b)d; (mod 11). Because 
0 <a-—b<11 and 11 is prime, it follows that d; = d; (mod 11). Because these digits are 
between 0 and X, they must be equal. 


Section 6.1 


Note that 10!+ 1= 1(2-6)(3-4)(5- 9)(7-8)10+ 1=1-12-12-45-56-10+1=1-1-1-1- 
1-(—1) + 1=0 (mod 11). Therefore, 11 divides 10! + 1. 


(3°)? = 2432 = 12 = 1 (mod 117). 


15. 
17. 


19. 


21. 


23. 
25. 


27. 
29. 


31. 


33. 


35. 


37. 


39. 
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a.x =9(mod17) bx =17 (mod 19) 


Suppose that p is an odd prime. Then Wilson’s theorem tells us that (p — 1)! = —1 (mod p). 
Because (p — 1)! = (p — 3)'(p — 1)(p — 2) = (p — 3)\(—1)(—2) = 2 - (p — 3)! (mod p), this 
implies that 2 - (p — 3)!= —1 (mod p). 

Because (a, 35) = 1, we have (a, 7) = (a, 5) = 1, so we may apply Fermat’s little theorem to 
get al? — 1= (a®)? — 1= 1? — 1=0 (mod 7) and a!” — 1= (a4)3 — 1= 13 — 1=0 (mod 5). 
Because both 5 and 7 divide a!2 — 1, then 35 must also divide it. 


When n is even, so is n’, and when n is odd, so is n’. It follows that n’ =n (mod 2). Furthermore, 
because n? = n (mod 3), it follows that n’ = (n3)? -n =n? -n =n? =n (mod 3). We also know 
by Fermat's little theorem that n’ =n (mod 7). Because 42 = 2 - 3-7, it follows that n? =n 


(mod 42). 

By Fermat’s little theorem, )-?-} k?-! = p7)1= p — 1 (mod p). 

By Fermat’s little theorem, we have a = a? = b? = b (mod p); hence, b =a + kp for some 
integer k. Then by the binomial theorem, b? = (a + kp)? =a? + (F)a? kp + p?N, where N is 
some integer. Then b? = a? + p2a?—!k + p?N =a? (mod p?), as desired. 

641 


Suppose that p is prime. Then by Fermat’s little theorem, for every integer a, a? =a (mod p), 
and by Wilson’s theorem, (p — 1)! = —1 (mod p), so that a(p — 1)! = —a (mod p). It follows 
that a? + (p — 1)!a =a + (—a) = 0 (mod p). Consequently, p | [a? + (p — 1)!a]. 


Because p — 1=—1, p—2=-2,...,(p—1)/2=—(p — 1)/2 (mod p), we have ((p — 1)/2)!? 
= —(p — 1)!=1 (mod p). (Because p = 3 (mod 4) the minus signs work out.) If x? =1(mod p), 
then p | x? —1= (x — 1)(x+ 1), sox =+1 (mod p). 


Suppose that p = 1(mod 4). Let y = +[(p — 1)/2]!. Then y? = [(p — 1)/2]? = [(p — 
1)/2)2(—N PD? = (1.2.3 +++ (p= 1)/2)(-1- (2) (-3) + (F@ = D/2) S12: 
3---(p—1)/2-(p+1)/2-++ (p — 3)(p — 2)(p — 1) = (p — 1)! = —1 (mod p), where we 
have used Wilson’s theorem. Now suppose that x? = —1 (mod p). Then x” = y* (mod p) where 
y =[(p — 1)/2]!. Hence, (x? — y*) = (x — y)(x + y) (mod p). It follows that p | (x — y) or 
p|(x + y) so that x = +y (mod p). 


If n is composite and n 4 4, then Exercise 16 shows that (n — 1)!/n is an integer, so 

(am — 1)!+ )/n-[@ —1)!/n]] =[M— Dnt 1/n - (n — 1)!/n) = [1/n] =0, and if n = 4, 
then the same expression is also equal to 0. But if n is prime, then by Wilson’s Theorem 

(n — 1)! = Kn — 1 for some integer K. So [((n — 1)!4+ 1)/n —[™— 1)!/n]J =[(Kn —14+ 
1)/n — [(Kn — 1)/n]] = [K — (K — 1)] = 1. Therefore, the sum increases by 1 exactly when n is 
prime, so it must be equal to z(n). 


Let n= 4k +7 with 0 <r <4. Then by Fermat’s little theorem, we have b” = ptktr = 
(b*)‘b" = 1*b’ = b” (mod 5) for any integer b. Then 1” + 2” + 3° 4+ 4" =1" +2" 43" 44" 
(mod 5). We consider each of the 4 possibilities for r. If r=0, then 1” + 27+ 37+4"= 
14+ 14+ 1+ 1=4 (mod 5). Ifr = 1, then 1” + 27+ 37+ 4" =14+2+4+3+4+4=0 (mod 5). Ifr =2, 
then 1" + 27+ 3° +4" =14+4+4+9+4 16 = 30=0 (mod 5). If r =3, then 1’ +27+3'+47 = 
14+ 8+ 27+ 64=14+3+2+4=0 (mod 5). So5 divides 1” + 2” + 3” + 4” if and only ifr = 0, 
that is, if and only if 4 | n. 


Suppose that n and n + 2 are twin primes. By Wilson’s theorem, n is prime if and only if 
(n — 1)!=—1(modn). Hence, 4[(n — 1)!+ 1] +-n=4-0+n=0 (mod 2). Also, because 
n+ 2 is prime, by Wilson’s theorem it follows that (n + 1)!=—1(modn + 2), so that 
(n+ 1)n-(n — 1)!= (—1)(—2)( — 12)! = 2(n — 1)!= —1 (mod n + 2). Hence, 4[(n — 1)!+ 1] + 
n=2(2-(n—D)N+44+n=2-(-1+44+n=n+4+2=0 (moda + 2). Because (n,n + 2) = 1, 
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41. 


43. 


45. 


47. 


49, 


51. 
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it follows that 4[(7 — 1)!+ 1]+n =0 (mod n(n + 2)). The converse follows for n odd, by 
reversing these calculations. For n even, it’s easy to check that one of the congruences in the 
system fails to hold. 


We have 1-2---(p — 1)=(p+ 1)(p + 2)--- (2p — 1) (mod p). Each factor is prime to 
p, 80 1= ((p+ 1)(p + 2)--- (2p — 1))/(1-2--- (p — 1)) (mod p). Thus, 2= ((p + 1)(p + 
2)---(2p—1)2p)/(1-2---(p—-Dp)= (*) (mod p). 


We first note that 1? = 1 (mod p). Now suppose that a? =a (mod p). Then by Exercise 42, we 
see that (a + 1)? =a? + 1 (mod p). But by the inductive hypothesis a? = a (mod p), we see that 
a? + 1=a+ 1 (mod p). Hence, (a + 1)? =a +1 (mod p). 


a. If c < 26, then c cards are put into the deck above the card, so it ends up in the 2cth position 
and 2c < 52, so b = 2c. If c > 26, then the card is in the c — 26th place in the bottom half of the 
deck. In the shuffle, c — 26 — 1 cards are put into the deck above the card, so it ends up in the 

b= (c — 26+ c — 26 — I)th place. Then b = 2c — 53 = 2c (mod 53). b. 52 


Assume without loss of generality that a, = b, =0 (mod p). Then by Wilson’s theorem, 
QjQ7---ap 1 =D,b,--- bp-1 = —1 (mod p). Then a,b, - - - ap-1bp-1 = (—1)? = 1 (mod p). 
If the set were a complete system, the last product would be = —1 (mod p). 


The basis step is omitted. Assume (p — 1)?" = —1 (mod p*). Then (p — 1)?" = ((p — 1)" ')P = 
(—1+ mp*)P = -1+4+ (2)mp* +.--+-+ (mp*)? = —1(mod p**!), where we have used the fact 
that p | (7) for j 4 Oor p. 


First suppose n is prime. Then from Exercise 72 in Section 3.5, we have (3) is divisible by 
n for k= 1, 2, 3,...,— 1. Then by the binomial theorem, (x — a)” = x” — ()x""la + 
(5)x"-*a? + +--+ (—a)” =x" + (—a)” (mod n), because all the binomial coefficients, except 
the first and last, are divisible by n. Then by Fermat’s little theorem, because (n, —a) = 1, 
we have x” + (—a)” =x” —a (modn), so these two polynomials are congruent modulo n 
as polynomials. Conversely, suppose n is not prime and let p be the smallest prime dividing 
n, and let g = p® ||n . Looking at the expression above, it suffices to show that one of the 
binomial coefficients is not divisible by q, and hence not divisible by n. Let n = mq. Then 
(")-se ee _ mn—1)---@—@—)) 

q q! (q-1)! 
power of p dividing n, we have (q, m) = 1. Further, if g | ( — b), forb=1,2,...,q —1, 
then g | b, but 1 < b < q — 1, a contradiction. Therefore, g doesn’t divide the numerator of the 
fraction, and so neither does n. Therefore, @) # 0 (mod n). Because the coefficient of x? is 0 in 
x” — a, these two polynomials cannot be congruent modulo n as polynomials. 


. Because q is the highest 


Section 6.2 


1. 
3. 
5. 
7. 


9, 


11, 


39° = 1 (mod 91), but 91=7- 13 

2161038 — 2 (mod 161038) 

(n — a)" = (—a)" = —(a") = —a = (n — a) (mod n) 

Raise the congruence 22" = —1 (mod F,,) to the 22”~th power, to obtain 2" — 1 (mod 22” + 1), 
which says that 2*—! = 1 (mod F,,). 

Suppose that n is a pseudoprime to the bases a and b. Then b” = b (mod n) and a, =a (mod n). 
It follows that (ab)” = a"b" = ab (mod n). Hence, n is a pseudoprime to the base ab. 

If (ab)"-! =1(mod n), then, 1= a"—!b"-!=1-b"-1 (mod n), which implies that n is a 
pseudoprime to the base b, a contradiction. 


13. 


15. 


17. 


19. 


21. 
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A computation shows 21387 = 2 (mod 1387), so 1387 is a pseudoprime. But 1387 — 1= 2 - 693 
and 2693 = 512 (mod 1387), which is all that must be checked, because s = 1. Thus, 1387 fails 
Miller’s test and hence is not a strong pseudoprime. 


Note that 25326001 — 1 = 21582875 = 2°t and with this value of t, 2’ = —1 (mod 25326001), 3‘ = 
—1 (mod 25326001), and 5’ = 1 (mod 25326001). 


Suppose c = 7-23-q, with q an odd prime, is a Carmichael number. Then by Theorem 
6.7, we must have (7 — 1)|(c — 1), so c=7-23-q =1 (mod 6). Solving this yields q =5 
(mod 6). Also, we must have (23 — 1)|(c — 1), soc = 7-23-q = 1 (mod 22). Solving this yields 
q = 19 (mod 22) If we apply the Chinese remainder theorem to these two congruences, we 
obtain g = 41 (mod 66), that is, g = 41+ 66k. Then we must have (q — 1)|(c — 1), which 

is (40 + 66k)|(7 -23- (41+ 66k) — 1. So there is an integer m such that m(40 + 66k) = 
6600 + 10626k = 160 + 6440 + 10626k = 160 + 161(40 + 66k). Therefore, 160 must be a 
multiple of 40 + 66k, which happens only when k = 0. Therefore, g = 41 is the only such prime. 


We have 321,197,185 — 1= 321,197,184 = 4 - 80,299,296 = 18 - 17, 844,288 = 22 - 14,599, 872 = 
28 - 11,471,328 = 36 - 8,922,144 = 136 - 2,361,744, so p — 1321, 197, 185 — 1 for every prime 
p which divides 321,197,185. Therefore, by Theorem 6.7, 321,197,185 is a Carmichael number. 
We can assume that b < n. Then b has fewer than log, n bits. Also, t < n so it has fewer than log, n 
bits. It takes at most log, n multiplications to calculate b”’, so it takes O (log, n) multiplications to 


calculate b?°*”' = bt. Each multiplication is of two log, n bit numbers, and so takes O(log, n)?) 
operations. So all together we have O ((log, n)3) operations. 


Section 6.3 


1. 


a.1,5 b.1,2,4,5,7,8 ¢.1,3,7,9 d.1,3,5,9, 11,13  e.1, 3,5, 7,9, 11, 13, 15 
f.1, 2,3, 4,5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 


. If (a, m) = 1, then (—a, m) = 1, so —c; must appear among the c;. Also c; # —c; (mod m), or 


else 2c; = 0 (mod m) and so (c;, m) # 1. Hence, the elements of in the sum can be paired so that 
each pair sums to 0 (mod m), and thus the entire sum is 0 (mod m). 


5. 1 
7. il 


9. Because a2 = 1 (mod 8) whenever a is odd, it follows that a!2 = 1 (mod 8) whenever (a, 32760) = 


11. 
13. 


15. 
17. 
19. 


1. Euler’s theorem tells us that a? = a® = 1 (mod 9) whenever (a, 9) = 1, so that a!2 = (a6)? =1 
(mod 9) whenever (a, 32760) = 1. Furthermore, Fermat’s little theorem tells us that at = 1 
(mod 5) whenever (a, 5) = 1, a® = 1 (mod 7) whenever (a, 7) = 1, and a!? = 1 (mod 13) 
whenever (a, 13) = 1. It follows that a!2 = (a*)3 = 1 (mod 5), a!? = (a®)? = 1(mod 7), and 
a2 = 1 (mod 13) whenever (a, 32760) = 1. Because 32760 = 233% -5- 7- 13 and the moduli 
8, 9, 5, 7, and 13 are pairwise relatively prime, we see that a! = 1 (mod 32760). 


a.x =9(mod 14) b.x=13(mod15) c.x =7 (mod 16) 


Fora particular i = 1, 2,...k, note that p(n) = @(p1)¢(p2) --- 6 (px) = 6 (p;) N for some integer 
N. Then, by Euler’s theorem, a? +! = q?(P)N +1 = g(P)Ng = 1Nq =a (mod p,). This gives us 
a set of k linear congruences with moduli mutually relatively prime. So by the Chinese remainder 
theorem, the unique solution to the system modulo n is a. So a?)+! = a (mod n). 


a.x =37 (mod 187) bx =23(mod30) ¢.x=6(mod 210) d.x =150,999 (mod 554,268). 
1 
(13) = 12, 6(14) = 6, (15) = 8, 6(16) = 8, 6(17) = 16, (18) = 6, O(19) = 18, (20) = 8 
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If (a, b) = land (a, b — 1) = 1, thena | (b*? — 1)/(b — 1), whichis a base b repunit. If (a, b — 
1) =d > 1, then d divides any repunit of length k(b — 1), and (a/d) | (b*?@/® — 1)/(b — 1) and 
these sets intersect infinitely often. 


. Let aj, ay, ..., a, be the bases to which n is a pseudoprime and for which (a;, n) = 1 for each i. 


Then by part (a), we know that, for each i, n is not a pseudoprime to the base ba;. Thus, we have 
2r different elements relatively prime to n. Then by the definition of @(n), we have r < $(n)/2. 


Section 7.1 


1. 


a. Because for all positive integers m and n, f(mn) =0=0-0= f(m)- f(n), f is completely 
multiplicative. b. Because f(6) = 2, but f(2)- f(3) =2- = 4, f is not completely 
multiplicative. c. Because f(6) = 3, but f(2)- f(3)=3-2= 3, f is not completely 
multiplicative. d. Because f (4) = log(4) > 1, but f(2) - f(2) = log(2) - log(2) < 1, f is 
not completely multiplicative. e. Because for any positive integers m and n, f (mn) = 
(mn)? = m?n? = f (m) - f(n), f is completely multiplicative. f. Because f (4) = 4! = 24, 
but f(2)- f(2) =2!2!=4, f is not completely multiplicative. g. Because f(6) =7, but 
f(2)- £3) =4-3= 12, f is not completely multiplicative h. Because f (4) = 44 = 256, but 
f (2): f (2) = 272? = 16, f isnot completely multiplicative. i. Because for any positive integers 


mandn, f(mn) = /mn=./m,/n = f(m)- f(n), f is completely multiplicative. 


. We have the following prime factorizations of 5186, 5187, and 5188: 5186 = 2 - 2593, 


5187 =3-7- 13-19, and 5188 = 271297. Hence, (5186) = 6(2)6(2593) = 1- 2592 = 2592, 
(5187) = 6(3)6(7)$ (13) (19) = 2-6 - 12 - 18 = 2592, and (5188) = $(22)6(1297) = 
2 - 1296 = 2592. It follows that (5186) = $ (5187) = (5188). 


- 7,9, 14, 18 


7. 35, 39, 45, 52, 56, 70, 72, 78, 84, 90 
9. o(2n) 


17. 
19, 


21. 


- multiples of 3 
. powers of 2 greater than 1 
. If n is odd, then (2, n) = 1 and ¢(2n) = $(2)¢(n) = 1- O(n) = O(n). If 7 is even, say n = 2°t 


with t odd. Then $(2n) = (251) = 6(2°*)6(2) = 2°G(t) = 22° "b(1) = 22) (t)) = 
2(b(2°t)) = 26(n). 


n = 2* pp, --+ p, where each p; is a distinct Fermat prime. 


Letn = Pi - + + p% be the factorization for n. If n = 2(n) then, Pi +++ pt =2 jes ps! (P; — 
1). Cancelling the powers of all p;’s yields p;- - - p, =2 TTj=16 p; — 1). Ifany p; is an odd prime, 
then the factor (p ios 1) is even and must divide the product on the left-hand side. But there can 
be at most one factor of 2 on the left-hand side and it is accounted for by the factor of 2 in front 
of the product on the right-hand side. Therefore, no odd primes appear in the product. That is, 
n =2/ for some j. 

Because (m,n) = p, p divides one of the terms, say, n, exactly once, so n =kp with 

(m, k) = 1= (a, k). Then 6(n) = b (kp) = $(k)b(p) = O(k)(p — 1), and (mp) = pg(m) by 
the formula in Example 7.7. Then ¢(mn) = ¢(mkp) = o(mp)¢(k) = (po(m))(o(n)/(p — 1). 


. Let pj, ---, p, be those primes dividing a but not b. Let q), --- , g, be those primes dividing b 


but not a. Let 7, - - - r, be those primes dividing a and b. Let P = [[(1 — +), Q=[[(a- a) and 
R =[](1— +). Then we have $ (ab) = abP QR = SP RIOR _ 2@0) But p((a, b)) = (a, BR, 


soR= ete b) and we have ¢(ab) = fae) — = SO) as desired. The final conclusion 


now follows fon the fact that @((a, b)) < se b) when (a, b) > 1. 


25. 


27. 


29. 


31. 


33. 


35. 
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Assume there are only finitely many primes, 2, 3,..., p. Let N=2-3-5--- p. Then 
@(N) = 1 because there is exactly one positive integer less than N that is relatively prime to 
N, namely, 1, because every prime is a factor of N. However, (NV) = $(2)@(3)@(5) ---@(p) = 
1-2-4---(p-—1) >1. This contradiction shows that there are infinitely many primes. 


From the formula for the ¢ function, we see that if p|n, then p — 1|k. Because k has only finitely 
many divisors, there are only finitely many possibilities for prime divisors of n. Further, if p 
is prime and p°|n, then p?~'|k. Hence, a < log ,(k) + 1. Therefore, each of the finitely many 
primes which might divide n may appear to only finitely many exponents. Therefore, there are 
only finitely many possibilities for n. 


As suggested, we take k = 2 - 3°/+1 with j > 1, and suppose that ¢(n) = k. From the formula 
for ¢(n), we see that ¢(n) has a factor of (p — 1), which is even, for every odd prime 
that divides n. Because there is only one factor of 2 in k, there is at most one odd prime 
divisor of n. Because k is not a power of 2, we know that an odd prime p must divide 

n. Further, because 2 || k, we know that 4 /n. So n is of the form p® or 2p%. Recall that 
$(p*) = o(2p%). It remains to discover the value of p. If a = 1, then ¢(p*) = p — 1=2- 3°*1, 
But then p = 2-3%+14 1=6.- (3/ + 1= (—1)(1)/ + 1=0 (mod 7). Hence, p = 7. But 
(7) =6 = 2- 3°/+! implies that j = 0, contrary to hypothesis, so this is not a solution. Therefore, 
a > 1 and we have $(p*) = (p — 1)p2~! = 2- 3®/+!, from which we conclude that p = 3 and 
a = 6j + 2. Therefore, the only solutions are n = p®/+? and n = 2p%J*2. 


Ifn = p’m, then p(p’m) = (p’ — p’d(m) | (p’m — 1), andhence p | lorr = 1. Son is square- 
free. If n = pq, then ¢(pq) = (p — 1)(q — 1) | (pq — 1). Then (p — 1) | (pq — 1) —-(p— Dg = 
q — 1. Similarly, (¢ — 1) | (p — 1), a contradiction. 


a _ an 


Letn =p, py --- Py . Let P; be the property that an integer is divisible by p;. Let S be the 
set {1,2,...,n— 1}. To compute ¢(n), we need to count the elements of S with more of the 
properties P;, P,,---, P,. Let n(P;,, Ps see P;,) be the number of elements of S with all of 


properties P;,, P;,,---, P;,.Thenn(P;,,---P,,) = ra By Exercise 24 of Section 3.1, 
we have d(n)=n—-(A + Rte + F)t Get tee t- + Cyt D= 


a ao a eee ged © ary i —)k_+4 
a(l Lin Pi + Li piPisln Pi; Piz pi, PipPiy Pi Piz Pix a3 +(-) De Pe Onsmieratlicr 


hand, notice that each term in the expansion of (1 — wa — x) “ee (- x) is obtained 


by choosing either 1 or — from each factor and multiplying the choices together. This 


t 
gives each term the form ete —. Note that each term can occur in only one way. Thus, 


Pi; Pin*** Ping 
+tyy—4)y...q—tye = 1 1 _...(_ 1k = 
ne pl D2) oe =U Dpiln pit LPP Pi, Pin Cp PrP) == Oh): 
Note that 1 < @(m) < m — 1 form > 1. Hence ifn > 2,n >n,>n2>---> 1 wheren; = o(n) 
and n; = @(n;_;) for i > 1. Because n;, i = 1, 2, 3, ... is a decreasing sequence of positive 


integers, there must be a positive integer 7 such that n, = 1. 


Note that the definition of f * g can also be expressed as (f * g)(n) = )og.p2n f (a)g(b). Then 
the fact that f * g = g « f is evident. 


a. If either m > 1 or n > 1, then mn > 1 and one of t(m) or i(n) is equal to zero. Then 
(mn) = 0 = u(m)i(n). Otherwise, m =n = 1 and we have i(mn) =1=1-1=L(m)i(n). 
Therefore, .(n) is multiplicative. b. (u* f)(n) = par (d) f (5) =F (4) = f@) because 
t(d) = O except when d = 1.(f *1)(n) =(t* f)() = f(m) by Exercise 37. 


Let h = f * g and let (m, n) = 1. Then h(mn) = Daina f(d)a(*F). Because (m, n) = 1, each 
divisor d of mn can be expressed in exactly one way as d = ab where a | m and b | n. Then 
(a, b) =1and Cs >) = |. Then there is a one-to-one correspondence between the divisors d of 
mn and the pairs of products ab where a | m and b | n. Then 
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mn m,n 
h(mn) = 2 f(ab)a(—*) = dX fa) f@s— 8G) 
bin b\n 
=D F@a() D7 FBG) =hemphcan), 
alm bln 
as desired. 

43. a.-1 b-1 e41 d1 e-1 f.-1 gl 

45. Let f(2) = Dain A(d). Suppose p' || n. Then f(p') = A(1) + A(p) + A(p?) +--+ + ACP") = 
1—1+1—---+(—1)! =0 if t is odd and equal to 1 if t is even. Note that f(n) = f(p'b) = 
bBe is A(d) = yb A(e)(A(1) + A(p) +--+ A(p')) = f(b) f (p’). By induction, this shows that 
f is multiplicative. Then f(n) = f (ptps ++ pt) =T] f(P;) = 0 if any a; is odd (n is nota 
square) and equal to 1 if all a; are even (n is a square). 

47. If f and g are completely multiplicative and m and n are positive integers, then we have 
(fg)(mn) = f(mn)g(mn) = f(m) f(n)g(m)g(n) = f(m)g(m) f (n)g(n) = (f8)(m)(fa)(n), 
so fg is also completely multiplicative. 

49. f(mn) = logmn = logm + logn = f(m) + f(n) 

5l.a.2 b3 «41 d.4 @8 £15 

53. Let (m, n) = 1. Then by the additivity of f, we have f(mn) = f(m) + f(n). Then g(mn) = 
Qf mn) — af em)+ fla) — afm) 2 f@) — g(m)g(n). 

Section 7.2 

1.2.48 b.399 ¢.2340 d.2)!—1 €.6912 £.813,404,592  g, 15, 334, 088 
h. 13, 891, 399, 238, 731, 734, 720 

3. perfect squares 

5. a.6,11 b.10,17 ¢.14,15,23 d.33,35,47 e.none f. 44, 65, 83 

7. Note that t(p*—!) = k whenever p is prime and k is a positive integer k > 1. Hence, the equation 
t(n) =k has infinitely many solutions. 

9. squares of primes 

11. n°? 

13. a. The nth termisa(2n). b.Thenthtermiso(n) —t(n). ce. The nth term is the least positive 
integer m with t(m) =n. d. The nth term is the number of solutions k to the equation o (k) =n. 

15. 2, 4, 6, 12, 24, 36 

17. Let a be the largest highly composite integer less than or equal to n. Note that 2a is less than or 


equal to 2n and has more divisors than a, and hence t(2a) > t(a). By Exercise 16, there must be 
a highly composite integer b with a < b < 2a. If b < n, this conwadicts the choice of a. Therefore, 
n <b < 2n. It follows that there must be a highly composite integer k with 2” < k < 2"+! for 
every nonnegative integer m. Therefore, there are at least m highly composite integers less than 
or equal to 2”. Thus, the mth highly composite integer is less than or equal to 2””. 


19. 1, 2, 4, 6, 12, 24, 36, 48 


1+ p* 


23. Suppose that a and b are positive integers with (a, b) = 1. Then Sealab d* = Vala, dpb (d,dz)* = 


ala di ala dj = 0;(a)o;(d). 


25. prime numbers 


27. 


29. 


31. 


35. 


37. 
39. 
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Let n = De ps -+ + p@r and let x and y be integers such that [x, y] =n. Then x |n and y | n, so 
we have x = p; p,”--: p? and y = Pi'P> -++ pyr, where b; and c; =0, 1, 2,..., a;. Because 
[x, y] =n, we must have max{b;, c;} =a; for each i. Then one of b; and c; must be equal to 
a; and the other can range over 0, 1, ..., a;. Therefore, we have 2a; + 1 ways to choose the 
pair (b;, c;) for each i. Then in total, we can choose the exponents b;, bo, ...b,, cy, ..., Cp in 
(2a, + 1)(2ay + 1) --- (2a, + 1) = t(n?) ways. 
Suppose that n is composite. Thenn = ab where a and D are integers with 1 < a < b <n. It follows 
that either a > ./n or b > ./n. Consequently, o(n) >1+atb+n>1+Jntn>nt+Jn. 
Conversely, suppose that n is prime. Then o(n) =n + 1 so that o(n) <n + Jn. Hence, 
a(n) >n+ 4/n implies that n is composite. 
For n = 1, the statement is true. Suppose that ee, t(j) =2 ye [34] — [Jn — IP. For 
the induction step, it suffices to show that t(n) = 2 Bee ([4] - []) = 2. jeer 
in 
which is true by the definition of t(n), because there is one factor less than ./n for every factor 
greater than ./n. Note that if n is a perfect square, we must add the term 2./n — (2,/n — 1) =1 


to the last two sums. For n = 100, we have Ai t(j) =2 ei H — 100 = 482. 


. Leta=> pi! andb= > pi and let c; = min(a;, b;) for each i. We first prove that the product 


Il, ae pio(p tt) = Vala.) 49 (ab/d?). To see this, let d be any divisor of (a, b), say, 


d=[]| p; 4i- Then d; < c; for each i, so each of the terms Be a( Ds! sa appears in exactly 


one of the sums in the product. Therefore, if we expand the product, we will find, exactly 

d; j+bj—2d; j +b; —2d; i pti Pi 7 pti, \ _ 
once, the term |], Piia(p )=do (Oy pe ) =do (T1,,(PF /D;')(D;'/P; )) = 
da((a /d) (b/d)). his proves the first identity. Next, consider the sum BPG aaa + 
ptte-j ee eo p’), where c = min(a, b). The term p* appears in this sum once each time 
that k = a+ b — j, which happens exactly when a + b—c <k<a-+bD, that is, c + 1 times. On 
the other hand, in the expansion of the product (p? + p?-!+.---+1)(p?4+ po-34+.---+D= 
o(p*)o(p"), the same term p* appears whenever k = (a — m) + (b —n), where 0 < m <a and 
0 <n <b. Each of m and n determines the other, so p* appears exactly min(a + 1,b+1)=c+1 
times. Given this identity, we have o (a)o(b) =|], (pi + ae feet (py! + pi ae 
1) =T],, ye of pers + pth ge ere p} ), which is the right side of the identity, as we 
proved above. 
From Exercises 52 and 53 in Section 7.1, we know that the arithmetic function f(n) = 2°™ 
is multiplicative. Further, because the Dirichlet product h(n) = >> dine (4) — f x g(n), where 
g(n) = 1 is also multiplicative, we know that h(n) is also multiplicative. See Exercise 41 in 
Section 7.1. Because t(n) and n? are multiplicative, so is T (n”). Therefore, it sufficient to prove 
the identity for n equal to a prime power, p*. We have 7 ( p**) = (2a + 1). On the other hand, we 
have )gjp0 2° = reg 2°) = 14+ Yi 21 = 2a +1. 


$(1)o(2) --- p(n) 


If p and p +2 are prime, then o(p) = p + 1= ¢(p + 2). If 2? — 1 is prime, then @(2?+!) = 
2? =a (2? — 1). 


Section 7.3 


1. 
3: 
5. 


6; 28; 496; 8128; 33,550,336; 8,589,869,056 
a.31 b.127) ¢.127 
12, 18, 20, 24, 30, 36 
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13. 


15. 


29. 
31. 


33. 
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k+1 
pet 


. Suppose that n = p* where p is prime and k is a positive integer. Then o (p*) = a. Note that 


2p* — 1 < p*t! because p > 2. It follows that p*t+! — 1 < 2(p*t! — p*) =2p*(p — J), so that 
k+1_ 


ie < 2p* = 2n. It follows that n = p* is deficient. 


. Suppose that n is abundant or perfect. Then o (n) > 2n. Suppose that n | m. Then m = nk for some 


integer k. The divisors of m include the integers kd and d | n. Hence, o (m) > Yank + 1)d= 
(kK+ 1) ae d=(k+ lo(n) > (K+ 1)2n > 2kn = 2m. Hence, m is abundant. 


If p is any prime, then o(p) = p + 1 < 2p, so p= is deficient. Because there are infinitely many 
primes, we must have infinitely many deficient numbers. 


See Exercises 6 and 9 for an alternate solution. For a positive integer a, let n = 3°5-7 and 
compute a(n) = o (345 - 7) = (34+! — 1)/(3— 1) (54+ 1D(7+ D = (39t! — 1)%4 = 344124 - 24 = 
2 - 37(36) — 24 = 2 - 39(35) + 2 - 37 — 24=2n + 2 - 3% — 24, which will be greater than 2n 
whenever a > 3. This demonstrates infinitely many odd abundant integers. 

a. The prime factorizations of 220 and 284 are 220 = 2? - 5-11 and 284 = 2? -71. Hence, 

o (220) = 0 (27)a (5) (11) = 7-6- 12 = 504 and a (284) = 0 (27)0 (71) = 7- 72 = 504. Because 
o (220) = 0 (284) = 220 + 284 = 504, it follows that 220 and 284 form an amicable pair. _b. 
The prime factorizations of 1184 and 1210 are 1184 = 25 . 37 and 1210 = 2-5-1127. Hence, 

0 (1184) = 0 (25)0 (37) = 63 - 38 = 2394 and o (1210) = 0 (2)0(5)o (117) = 3- 6 - 133 = 2394. 
Because o (1184) = 0 (1210) = 1184 + 1210 = 2394, 1184 and 1210 form an amicable pair. 
c. The prime factorizations of 79,750 and 88,730 are 79,750 = 2 - 53-11-29 and 88,730 = 
2-5-19- 467. Hence, o (79,750) + o(2)0 (5)o (11)0 (29) = 3 - 156 - 12 - 30 = 168,480 and 
similarly o (88,730) = 0 (2)0 (5)o (19)0 (467) = 3- -6- 20 - 468 = 168,480. Because o (79,750) = 
o (88,730) = 79,750 + 88,730 = 168,480, it follows that 79,750 and 88,730 form an amicable 
pair. 


. 6 (120) =0 (233-5) =0(2)o (3)0 (5) = 15-4 -6 = 360 = 3- 120 
. 0 (27345-7-112- 17-19) = 2). $165 4.1074 DUELI74+ 094 DY = 255-121-6-8- 


133- 18-20 =5- 14,182,439,040. 


. Suppose that n is 3-perfect and 3 does not divide n. Then 0 (3n) = 0 (3)0 (n) = 4 - 3n. Hence, 3n 


is 4-perfect. 


- 908,107,200 
25. 
27. 


o(a(16)) =o B31) = 32=2-16 

Certainly if r and s are integers, then o(rs) > rs +r-+s +1. Suppose n = 2%t is superperfect 
with t odd and ¢ > 1. Then 2n = 2771 =o (0(29t)) =o ((27*! — 1) o(t)) > (2971 — No(t) + 
(29+1 — 1) +o(t) +1> 29440 (t) > 29+*(t + 1). Thent > t + 1, a contradiction. Therefore, we 
must have n = 24, in which case we have 2n = 27+! = o (0 (27)) =o (29+! — 1) =o(2n — J). 
Therefore, 2n — 1= 29+! — 1 is prime. 

a.yes b.no ecyes_ d.no 

M,,(M,, + 2) = (2" — 1)(2" + 1) = 2" — 1. If 2n +1 is prime, then ¢(2n + 1) = 2n and 

22" = | (mod 2n + 1). Then (2n + 1) |2% —1= M,,(M,, + 2). Therefore, (2n + 1) | M, or 
(2n + 1) | (M, +2). 

Because m is odd, m? = 1 (mod 8), son = p?m? = p® (mod 8). By Exercise 32 (a), a = 1 (mod 4), 
so p? = p** p = p (mod 8), because p* is an odd square. Therefore, n = p (mod 8). 


. = a . . . eae . = peti_y 
First suppose that n = p® where p is prime and a is a positive integer. Then o (n) = = es 


a+1 
y ee 


= al = oa = an so that o(n) 4 2n and n is not perfect. Next suppose that n = pq? 
~?P 3 

atl_4 . gett_1 2 

p-l q-1 


where a and b are primes and a and b are positive integers. Then o(n) = 7 


37. 
39. 
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patightl 3) npq oe, n < n a 15n 2 H 2 d ‘ t 
e-DG-D = B-DG-D ~ CHaH = OH ~ 3 <2n. Hence, o(n) # 2n and n is no 


perfect. 
integers of the form p> and pq where p and q are primes. 


Suppose M,, = 2” — 1=a*, withn and k integers greater than 1. Then a must be odd. If k = 2j, 
then 2” — 1 = (a/)*. Because n > 1 and the square of an odd integer is congruent to 1 modulo 4, 
reduction of the last equation modulo 4 yields the contradiction —1 = 1 (mod 4); therefore, k must 
be odd. Then 2” = a* + 1= (a+ 1)(a*-! — ak? 4. ..- 4+ 1). Soa + 1= 2” for some integer m. 
Then 2” — 1 = (2” — 1)*. Nown > mk so reduction modulo 27” gives —1 = k2™ — 1 (mod 22”) 
or, because k is odd, 2” = 0 (mod 27”), a contradiction. 


Section 7.4 

1.a0 bl e.-1 d0 e-1 f.1 g< 0 

3. 0, —1, —1, —1, 0, —1, 1, —1, 0, —1, —1, respectively 

5. 1, 6, 10, 14, 15, 21, 22, 26, 33, 34, 35, 38, 39, 46, 51, 55, 57, 58, 62, 65, 69, 74, 77, 82, 85, 86, 


87, 91, 93, 94, 95 


Te 1,0, =1,=1, —2, —1,-—2,.=2,—2, —1, respectively 


9. Because y(n) is O for nonsquarefree n, 1 for n a product of an even number of distinct primes and 


11. 
13. 


15. 


17. 


19. 
21. 


. Because both sides of the equation are known to be multiplicative (see Exercise 35 in Section 


27. 
29. 


—1 for n a product of a odd number of distinct primes, the sum M(n) = 4 (i) is unaffected 
by the nonsquarefree numbers, but counts 1 for every even product and —1 for every odd product. 
Thus, M(n) counts how many more even products than odd products there are. 

For any nonnegative integer k, the numbers n = 36k + 8 andn + 1 = 36k + 9 are consecutive and 
divisible by 4 = 2? and 9 = 3, respectively. Therefore, (36k + 8) + (36k + 9) =0+0=0. 
3 


Let h(n) =n be the identity function. Then from Theorem 7.7, we have h(n) =n = )- ain p(n). 
Then by the Mobius inversion formula, we have $(1) = Dray, H(d)A(n/d) = Dia, H(d)(n/d) = 
us atin u(d)/d. 

Because yw and f are multiplicative, then so is their product, uf, by Exercise 46 of Section 
7.1. Further, the summatory function aie u(d) fd) is also multiplicative by Theorem 7.17. 
Therefore, it suffices to prove the proposition for n a prime power. We compute > d\p2 Ld) f (d) = 
u(p*) f (p*) + wp?) f (p21) +--+. + u(p) f (p) + uf (d). But for exponents greater than 
1, 4(p’) = 0, so the above sum equals u(p) f(p) + HD FC) = —f(p) + 1. 

p(n)/n 


(—1)* Ti Bi 
7.2), it suffices to prove the identity for n = p*, a prime power. On one hand, we have 


Yai pa p?(d) = w?(p) + w7(1) = 1+ 1=2. On the other hand, we have w(p*) = 1, so the 
right side is 2! = 2. 


. Let A play the role of f in the identity of Exercise 17. Then the left side equals Mya — (pj) = 


Wa —(-l)= Qk — Qu(n) 
We compute bx v(n) = Dain p(d)v(n/d) — Yan p(d) = u(n), by Theoret 7.15: 


Because v(n) is identically 1, we have F(n) = Doan f@) = Van fQv@/d) = f * vn). If we 
Dirichlet multiply both sides by u, we have Fx w= f *v*x w= f *t= f. 
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From the Mobius inversion formula, we have A(n) = )iqj, #(d) log(n/d) = Dai L(d)(og n — 
log d) = Dap H(d) log(n) — Yay, H(A) log(d) = log n Yay (4) — Dan H(A) log(d) = 
log nv(n) — ale Ld) log(d) = — Dain L(d) log(d), because v(n) = 0 if n is not 1, and 
logn=Oifn=1. 
a. Let k be an integer in the range 0 <k <n —1, and let d=(k, n), so that n = ay for 
some integer j. If ¢ is a primitive nth root of unity, we have ¢” = (¢%)/ = 1, so C7 is 
a jth root of unity. If ¢¢ were not a primitive jth root of unity, then 1= (¢%)? = ¢#? 
with db < dj =n, contradicting the assumption that ¢ is a primitive nth root of unity. So 
Tg nyaa(* — (¢2)*) = ® ;(x) as the product runs through a complete set of reduced residues 
modulo j. It remains to note that x” —1= Tee 5 — ¢*) because both polynomials have 
the same degree and the same roots. The nak product equals I1g),1¢ny=a(* — (¢7)*) = 
TIgin® j;(x). _b, From part (a), we have x? —1= Tap Og(x) = O)(x)O,(%) = (1- x)®, (x). 
Then ® ,(x) = (x? — 1)/(x — 1) =xP?-14x?74.--4+x+41. ce. From part (b), we have 
P= Tap Dy(x) = Oy (x) O2(x) P(x) Oz, (x). Because O)(x) = x — 1, a(x) = x + 1, and 
D(x) = (x? — 1)/(x — J), from part (b), we compute P,,(x) = 
xP — 1 _— @P-N)G@P +1) x? +1 
(-—D)a+DGP-D/@-) @+)GP-) x4] 
We need a little lemma: Let f(x) and g(x) be monic polynomials with rational coefficients. If 
f (x)g(x) has integer coefficients, then so do f (x) and g(x). Proof: Let f(x) =x” + ay,_x™~!+ 
--+ ag and g(x) =x" + b,_,x""!+----+ bp, and let M and N be the smallest positive integers 
such that Mf (x) and Ng(x) have integer coefficients. Then all coefficients of M Nf (x) g(x) are 
divisible by MN, because f (x)g(x) is an integer polynomial. Let p be a prime divisor of MN. 
If p J M, then p doesn’t divide the leading coefficient of Mf (x). If p | M, then some coefficient 
Ma; is not divisible by p, otherwise this would contradict the minimality of M. Let 7 be the 
largest index such that Ma, is not divisible by p. Similarly, let J be the largest index such that 
Nb; is not divisible by p. (In both cases, we take a,, = b,, = 1.) Then the coefficient of x/*/ 
in MN f(x)g(x) is Ma;Nb; + R where R is a sum of products involving Ma; and Nb; with 
either i > J or j > J, and hence p| R and therefore p { Ma,;Nb, + R. But this contradicts 
that p divides the coefficients of M Nf (x)g(x). This proves the lemma. Now, from Exercise 
34, we have ®, (x) = Tajn(x4 — 1h@/ 4) Let P(x) be the product of those factors for which 
p(n/d) = —1, and let Q(x) be the product of those factors for which jz(n/d) = 1. Then we have 
P(x)®,(x) = Q(x). Because Q(x) has integer coefficients, so does ®, (x), by the lemma. 


=xP 1 _ ye x td 


Section 7.5 

1. a. (2), (1, 1); p(2)=2 db. (4), GB, D, (2, 2), (2,1, D, (1, 1,1, D; p(4)=5_ « (6), (5, 1), 
(4, 2), (4, 1, 1), (3, 3), (3, 2, 1), (3, 1, 1, 1), (2, 2, 2), (2, 2, 1, 1), (2, 1, 1, 1, 1), (1, 1, 1, 1, 1, 0; 
p(6)=11  d. (9), (8, 1), (7,2), (7, 1, 1), (6, 3), (6, 2, 1), (6, 1, 1, 1), (5, 4,6, 3, 1), (5, 2, 2), 
(5, 2, 1, 1), (5, 1, 1, 1, 1), (4, 4, 0), (4, 3, 2), (4, 3, 1, D), (4, 2, 2, 0), (4, 2, 1, 1, D, (4, 1,1, 1, 1, D, 
(3, 3, 3), (3, 3, 2, 1), (3, 3, 1, 1, 0), G, 2, 2, 2), (3, 2, 2, 1, 1), (3, 2, 1,1, 1,1 ( ,1,1,1,1,1,) 
(2, 2, 2 - 1), (2, 2, 2, 1, 1, 1), (2, 2, 1, 1, 1, 1, 1), (2, 1, 1, 1, 1, 1, 1, 1), (1, 1, 1, 1, 1, 1, 1, 1, 0D; 
pQY)= 


3. Po(6) = ore 4, p2(6) = 
5.a8 bO «4 d7 «8 £2 g.4 hi2 
7. Letn be a positive integer and let A be the set of all partitions of n. Then there are p(n) elements 


in A. Create subsets of A, named Aj, Az, ..., A,, as follows. For each partition in A, count the 
number of parts. If the number of parts is k, put the partition in A,. Then the number of elements 
in A; will be p(n, k). Because every partition of n has between 1 and n parts, all partitions go into 


15. 
17. 


19. 
21. 
23. 


25. 
27. 


29. 


31. 


33. 
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exactly one subset. Further, any two distinct subsets must be disjoint, so A is the disjoint union of 
the Ay. Thus, p(n) =| A [=| Ay| +] Aog|+--:+1 4g l= D%_, pa, b). 


» p(5, 1) =1, p(S, 2) = 2, p(5, 3) = 2, p(5, 4) = 1, p(5, 5) = 1. Thenl1+2+2+1+1=7= p(5). 
. [n/2] (greatest integer function) 
. a. (5, 4, 2, 2, 1, 1), not self-conjugate _b. (2, 2, 2, 2, 2, 2, 2, 1), not self-conjugate 


c. (7, 4, 3, 1), not self-conjugate d. (10, 5), not self-conjugate 
(8, 1, 1, 1, 1, 1, 1, h, (6, 3, 3, 1, 1, 1), (5, 4, 3, 2, 1), (4, 4, 4, 3) 


Let m and n be integers with 1 < m <n. If P is a partition of n into at most m parts, then 
the Ferrers diagram with have at most m rows. Let Q be the conjugate of P. Then the Ferrers 
diagram for Q will have at most m columns, and hence represents a partition of n into parts not 
greater than m. Therefore, p(n | at most m parts) < p(n | parts no greater than m). Conversely, 
suppose Q is a partition of n into parts no greater than m. Then the Ferrers diagram of Q 
has at most m columns. If P is the conjugate of Q, then the Ferrers diagram for P has at 
most m rows, and hence represents a partition of n into parts no greater than m. Therefore, 
p(n | parts no greater than m) < p(n | at most m parts). The two inequalities together prove the 
assertion. 


+27) = Pe 2" = 1/1 — x) 

Tk, + x74) /(1 — x4); 1, 2, 3, 4, 6, 12, 16, 22, 29 
12,0 - x%)/(1 — x*); 1, 2, 3, 4, 6, 12, 16, 22, 29 
Tg, — x*)/a — x*): 0, 1, 1, 1, 2, 3, 3, 5, 5, 8 


From the formula for the sum of a finite geometric series, we have (1— xt Dk) / 
(l—x*) =14 4% 4x24 4...4x%, From Exercise 23, the generating function for Pika yk+1y 7%) 
is [po (1 — x2@*) (1 — x) = TP + xk + x7 + --- + x4*), But this last expression is the 
generating function for p(n|no part appears more than d times) as found in Exercise 22. 

a. The generating function for p(n|no part equals 1) is, by Theorem 7.21, Iles /d—x5 = 
(1— x) TT, Vd x*) = TTP, Wd — x*) — x TT, 1/1 — x*). The coefficient of x” in the 
first product is p(n). The coefficient of x” in the second product is p(n — 1), because of the extra 
factor of x in front of the product. Therefore, the coefficient of x” in the combined expression is 
p(n) — p(n—1). _ b. If we have a partition of n — 1, then we can add 1 as an additional part to get 
a partition of n that contains a 1. Conversely, if we have a partition of n having 1 as a part, then we 
can remove the 1 and obtain a partition of n — 1. So there is a one-to-one correspondence between 
the set of partitions of n having 1 as a part and the set of partitions of n — 1. Therefore, the number 
of partitions of n not having one as a part equals p(n) — p(n|1 is not a part) = p(n) — p(n — 1). 
Consider a partition of n into distinct powers of 2. Define a process that changes the partition into 
a partition all of whose parts is 1, by taking any part 2* and writing it as 2-1 + 2*—!. By iterating 
this process, all parts will be reduced to 2° = 1 and we will arrive at a partition of n into parts 
of size 1. Also define a reverse process in which, if any two like powers of 2 are present, say, 2* 
and 2*, they are merged into one part of size 2*. If we iterate this process on a partition into parts 
of size 1 = 2°, then we must eventually have all distinct powers of 2. Thus, we have a bijection 
between the set of partitions of n into parts of size 1 and the set of partitions of n into distinct 
powers of two. Therefore, p,1;(n) = p(n|distinct powers of 2). Because there is only one partition 
of n into parts of size 1, there must be only one partition of n into distinct powers of 2. Because 
such a partition is the binary expansion of n, this shows that the binary expansion is unique. 


From Exercise 30, we know that po(n) equals the number of self-conjugate partitions of n. Call 
this number JN, and consider the set of partitions of n. The subset of non-self-conjugate partitions 
of n has an even number of elements, because each partition can be paired with its conjugate. 
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Then p(n) equals the number of non-self-conjugate partitions plus the number of self-conjugate 
partitions, which is an even number plus N, which in turn is odd if and only if N is odd. 


35. First, note that p(n — 2) = p(n|at least one part equals 2) because adding and removing of a part 


37. 


of size 2 gives us a bijection between the two sets of partitions. Second, note that we can change 
an partition of n with no part of size 1 into at least one partition with a part of size 2 by taking 
the smallest part (which must be at least 2) and splitting off as many parts of size 1 as necessary. 
Therefore, p(n|at least one part of size 2) > p(n|no part equals 1). Now from Exercise 34, we 
have p(n) = p(n — 1) + p(n|no part equals 1) < p(n — 1) + p(n|at least one part equals 2) = 
p(n—1)+ p(n —2). 

Next, note that p(1) = 1= f, and p(2) = 2 = fy. This is our basis step. Suppose p(n) < fn4i 
for all integers up ton. Then p(n + 1) < p(n) + p(n — 1) < fasit fy = fnyo, which proves the 
induction step. So by mathematical induction, we have p(n) < f,,4; for every n. 


P(1) = 1; p(2) = 2; p(3) = 3; p(4) =5; p(S) =7; p(6) = 11; p(7) = 15; p(8) = 22; p(9) = 30; 
p(10) = 42; p(11) = 56; p(12) =77 


39. For the first part of the theorem, note that the product can be rewritten as [| jes Vd-x/)= 


41. 


I] je gs + xJ 4x2/4...), Then the coefficient of x”, when we expand this product, is the 
number of ways we can write n = a,k, + ajkz + --- where the a; are positive integers and the k; 
are elements from S, but this is exactly the number of partitions of n into parts from S. For the 
second part of the theorem, note that when we expand the product [| jesA+ x/), the coefficient 
of x” is the number of ways to write n =k, + kp + --- where the k; are elements of §. But this is 
just the number of partitions into distinct parts from S. 


The partitions of 11 into parts differing by at least 2 are (11), (10, 1), (9, 2), (8, 3), (7, 4), (7, 3, DD, 
and (6, 4, 1), for a total of 7. The positive integers less than or equal to 11 that are congruent 
to 1 or 4 modulo 5 are 1, 4, 6, 9, and 11, so the partitions of 11 into parts congruent to 1 or 5 
modulo 5 are (11), (9, 1, 1), (6, 4, 1), (6, 1, 1, 1, 1, 1, (4, 4, 1, 1, D, (4, 1, 1, 1, 1, 1, 1, 1), and 
(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1), for a total of 7 also. This verifies the first Rogers-Ramanujan identity 
for n = 11. The partitions of 11 into parts differing by at least 2 and that are at least two are 
(11), (9, 2), (8, 3), and(7, 4), for a total of 4. The partitions of 11 into parts congruent to 2 or 3 
modulo 5 are (8, 3), (7, 2, 2), (3, 3, 3, 2), and (3, 2, 2, 2, 2), for a total of 4 also. This verifies 
the second Rogers-Ramanujan identity for n = 11. 


Section 8.1 


. DWWDF NDWGD ZQ 

. IEXXK FZKXC UUKZC STKJW 
- READ MY LIPS 

12 


. AN IDEA IS LIKE A CHILD NONE IS BETTER THAN YOUR OWN FROM CHINESE 
FORTUNE COOKIE 


. 9,12 
. THIS MESSAGE WAS ENCIPHERED USING AN AFFINE TRANSFORMATION 
. C=7P + 16 (mod 26) 


Section 8.2 


1 


- VSPFXH HIPKLB KIPMIE GTG 


11. 


13. 
15. 
17. 
19. 


21. 


23. 


25. 
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. TJEVT EES PZ TJIAN IARAB GSHWQ HAS BU BJGAO XYACF XPHML AWVMO XANLB 


GABMS HNEIA TIEZV VWNOQOF TLEZF HJWPB WKEAG AENOF UACIH LATPR RDADR 
GKTJR XJDWA XXENB KA 


. Let n be the key length, and suppose k,, kz, ..., k, are the numerical equivalents of the letters 


of the keyword. If p; = p; are two plaintext characters separated by a multiple of the key 
length, when we separate the plaintext into blocks of length n, p; and p; will be in the same 
position in their respective blocks, say, the mth position. So when we encrypt them, we get 
Cj = Pi + kn = Pj thn = c; (mod 26). 


. The key is YES, and the plaintext is MISTA KES AR EAPAR TOFBE INGHU MANAP PRECI 


ATEYO URMIS TAKES FORWH ATTHE YAREP RECIO USLIF ELESS ONSTH ATCAN 
ONLYB ELEAR NEDTH EHARD WAYUN LESSI TISAF ATALM ISTAK EWHIC HATLE 
ASTOT HERSC ANLEA RNFRO M. 


. The key is BIRD, and the plaintext is IONCE HADAS PARRO WALIG HTUPO NM YSH OULDE 


RFORA MOMEN TWHIL EIWAS HOEIN GINAV ILLAG EGARD ENAND IFELT THATI 
WASMO REDIS TINGU ISHED BYTHA TCIRC UMSTA NCETH ATISH OULDH AVEBE 
ENBYA NYEPA ULETI COULD HAVEW ORN. 


The key is SAGAN, and the plaintext is BUTTH EFACT THATS OMEGE NIUSE SWERE 
LAUGH EDATD OESNO TIMPL YTHAT ALLWH OAREL AUGHE DATAR EGENI USEST 
HEY LA UGHED ATCOL UMBUS THEYL AUGHE DATFU LTONT HEYLA UGHED ATTHE 
WRIGH TBROT HERSB UTTHE YALSO LAUGH EDATB OZOTH ECLOW N. 

RL OQ NZ OF XM CQ KG QI VD AZ 

TO SLEEP PERCHANCE TO DREAMX 

3, 24, 24, 25 

We have C = AP (mod 26). Multiplying both sides on the left by A gives AC = A?P = IP =P 


(mod 26). The congruence A? = I (mod 26) follows because A is involutory. It follows that A is 
also a deciphering matrix. 


11 6 
eG () (mod 26) 


If the plaintext is grouped into blocks of size m, we may take Ym.) of these blocks to form a super- 


block of size [m, n]. If A is the m x m enciphering matrix, form the [m, n] x [m, n] matrix B 


A 0 .:-:- 0 
with Feast copies of A on the diagonal and zeros elsewhere: B= ? ae i ; 4 . Then B 
O.- A 


will encipher "J blocks of size m at once. Similarly, if C is the n x n enciphering matrix, form 


the corresponding [m, n] x [m, n] matrix D. Then BD is an [m, n] x [m, n] enciphering matrix 
that does everything at once. 


Pi 
Multiplication of (0 - - -010---0) P2 with the 1 in the ith place yields the 1 x 1 matrix (P;). 


Pn 
P\ Ci 
So if the jth row of a matrix A is (0---010---0),thenA J : | = : gives C; = P;. So 
Pn Ch 
if every row of A has its 1 in a different column, then each C j is equal toa different P;. Hence, A 
is a “permutation” matrix. 
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27. P=( 1 ) C+ (a (mod 26) 

29. TOXIC WASTE 

31. Make a frequency count of the trigraphs and use a published English language count of frequencies 
of wigraphs. Then proceed as in problem 18. There are 12 variables to determine, so 4 guesses are 
needed. 

33. yes 

35. 011101 1010 

37. RENDE ZVOUS 

39. Let pjp2--- Pm and q1q2-+-- 4, be two different plaintext bit streams. Let k,, ky, ...,k,, be 
the keystream by which the plaintexts are encrypted. Then note that for any i= 1, 2,...,m, 
Ex, (Pi) + Ex; (Qi) = ki + pi + hi + 9; = 2k; + pi + 9i = pi + 9; (mod 2). Therefore, by adding 
corresponding bits of the ciphertext streams, we get the sums of the corresponding bits of the 
plaintext streams. This partial information can lead to successful cryptanalysis of encrypted 
messages. 

Section 8.3 

1. 141717 27 11 17 65 76 07 76 14 

3. BEAM ME UP 

5. We encipher messages using the transformation c = P!! (mod 31). The deciphering exponent is 
the inverse of 11 modulo 30 because #(31) = 30. But 11 is its own inverse modulo 30 because 
11-11= 121 = 1 (mod 30). It follows that 11 is both the enciphering and deciphering exponent. 

Section 8.4 

1. 151, 97 

3. Because a block of ciphertext p is less than n, we must have (p, n) = p or q. Therefore, the 
cryptanalyst has a factor of n. 

5. 1215 1224 1471 0023 0116 

7. GREETINGSX 

9. 0872 2263 1537 2392 

11. No. It is as if the encryption key were (e,e2, ), and it is no more difficult (or easy) to discover the 
inverse of e = e,e, than it would be to discover the inverse of either of the factors modulo ¢(n). 

13. Suppose P is a plaintext message and the two encrypting exponents are e, and e,. Let 
a = (e, e2). Then there exist integers x and y such that e,x + ey =a. Let C; = P® (modn) 
and C, = P® (mod n) be the two cipher texts. Because Cj, C, e;, and e2 are known to the 
decipherer, and because x and y are relatively easy to compute, then it is also easy to compute 
Cr CS = Perr pe2y = peixte2y = P4 (modn). If a= 1, then P has been recovered. If a is fairly 
small, then it may not be too difficult to compute ath roots of P® and thereby recover P. 

15. Encryption works the same as for the two prime case. For decryption, we must compute an inverse 
d for e modulo ¢(n) = (p — 1)(q — 1I)(r — 1) where n = par the product of three primes. Then 
we proceed as in the two prime case. 

17. Let the encryption key be (e, n). Then Cy = Pf (mod n) and C2 = PJ (mod n), where C, and Cy 


are reduced residues modulo n. When we encrypt the product, we get C = (PP2)° = Pf P; =C,C, 
(mod n), as desired. 
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Section 8.5 
1. a.yes bono c.yes d.no 
3. Proceed by induction. Certainly a, < 2a, < aj. Suppose ye j <4. Then ee 14; = 
ae 1a Aj +a < Ay + Ay = 2ay < An4). 
5. (17, 51, 85, 7, 14, 45, 73) 
7. NUTS 
9. If the multipliers and moduli are (w,, m,), [O](w2, m2), ..., [O](w,, m,),[0] the inverse 
W 1, W2, ..., Ww, can be computed with respect to their corresponding moduli. Then we multiply 
and reduce succesively by (w,, m,), (W,_1, M,_1), ---+, (Wy, m4). The result will be the plaintext 
sequence of easy knapsack problems. 
11. 8-21-95 
13. For i=1,2,...,n, we have b* =a; (mod m). Then ps=P= (b%!)*1(5%2)%2 « . « (pb%)%n = 


b%*1t**"+%n%n (mod m). Then S = a,x; +---+ a,x, (mod ¢(m)). Because S + k(m) is also a 
logarithm of P to the base b, we may take the congruence to be an equation. Because the x; = 0 
or 1, this becomes an additive knapsack problem on the sequence (a), az, ..., @,). 


Section 8.6 


1. 
3. 
5. 


90 
476 


Let ki, kz, ..., k, be the private keys for parties 1 through 7, respectively. There are n steps in this 
Browecl The first step is for each of the parties 1 through n to compute the least positive residue 
of r& (mod p) and send this value y; to the i + Ist party. (The nth party sends his value to the Ist 
party.) Now the ith party has the value y;_ , (where we take yg to be y,,). The second step is for each 
party to compute the least positive residue of y * , (mod p) and send this value to the i + 1st party. 
Now the ith party has the least positive residue of r*-1+4i-2 (mod p). This process is continued 
for a total of n steps. However, at the nth step, the computed vate is not sent on to be next 
party. Then the ith party will have the least positive residue of r’—1+ki-2te--thr thn thn—at* “kip Fi 
(mod p), which is exactly the value of K desired. 


« a. 0371 0354 0858 0858 0087 1369 0354 0000 0087 1543 1797 0535 ___b. 0833 0457 0074 0323 


0621 0105 0621 0865 0421 0000 0746 0803 0105 0621 0421 


. a. If n; < nj, then the block sizes are chosen small enough so that each block is unique modulo 


Nj. Beeduss n, < nj, each block will be unique modulo n, after applying the transformation 
Dy, Therefore we can apply E k; to D,,(P) and retain uniqueness of blocks. If n; > nj, the 
argument is similar. b. Ifn; <n; p individual j receives Ex (Dy,(P)) and knows an inverse 
for e; modulo ¢(n;). So he can apply Di, (Ex, (Dy,(P))) = D;,(P). Because he also knows 
eis ss can apply E;,(D;,(P)) = P and discover the plaintext P. If n; > n;, then individual j 
receives Dy, (Ex, (P)). Because he knows e;, he can apply E;, (Dy, (Ex, (P))) = — Ex, (P). Because 
he also lenows e;, he can apply Dx, (E, ky (P)) = P and discover the plaintext P. _ c. Because only 
individual i lows 2 e;, only he can apply the transformation D,, and thereby make E;,(D;,(P)) 
intelligible. d. n; = 2867 > n; = 2537, so we compute Dy, (Ex, (P)). Both n; and n,; > 2525, 
so we use blocks of four. REGARDS FRED becomes 1704 0600" 1703 1805 1704 0323 (adding 
an X to fill out the last block). e; = 11 and ¢(n;) = 2760, so €; = 251. We apply Ey, = =py= ps 
(mod 2537) to each block and get 1943 0279 0847 0171 1943 0088. Then we apply D; (E) = E>! 
(mod 2867) and get 0479 2564 0518 1571 0479 1064. Now because nj < n;, individual j must 
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send Ey,(Dx,(P)), ej = 13, 6(2537) = 2436, and @; = 937. Then Dy, (P) = P37 (mod 2537) 
and E;,,(D) = D1! (mod 2867). The cipher text is 1609 1802 0790 2508 1949 0267. 

11. k,; =4 (mod 8), k2 =5 (mod 9), k3 = 2 (mod 11) 

13. The three shadows from Exercise 11 are kj = 4, ky =5, and k3 = 2. If k, and ky are known, we 
solve the system of congruences x = 4 (mod 8), x = 5 (mod 9) to get x = 68. If k, and k3 are 
known, we solve the system of congruences x = 4 (mod 8), x = 2 (mod 11) to get x = 68. If kz 
and k3 are known, we solve the system of congruences x = 5 (mod 9), x = 2 (mod 11) to get 
x = 68. In all three cases, we recover Kp. Then K = Ky — tp = 68 — 13-5 =3. 

Section 9.1 

la4 b4 46 4.4 

3. 2! =2 (mod 3) and2? = 1 (mod 3), so ord; 2 = 2.2! = 2 (mod 5), 2? = 4 (mod 5) and2* = 16=1 
(mod 5), so ord, 2 = 4, 2! = 2 (mod 7), 2? = 4 (mod 7) and 23 = 1 (mod 7), so ord, 2 = 3. 

5. a. 6(6) = 2, and 5*=1(mod6). b. o(11) = 10, 2? = 4, 25 = —1, 2!9 = 1 (mod 11). 

7. Only 1, 5,7, and 11 are prime to 12. Each one squared is congruent to 1, but (12) = 4. 

9. There are two: 3 and 5. 

11. That ord,a =ord,a@ follows from the fact that a’ = 1 (mod n) if and only if a’ = 1 (mod n). To 
see this, suppose that a’ = 1 (mod n). Then a’ = @‘a’)(a’) = (aa)‘a’ = I -1=1(modn). The 
converse is shown in a similar manner. 

13. We have [r, s]/(r, s) < ord, ab < [r, s] 

15. Let r =ord,,a’. Then a‘” = 1 (mod m), and hence tr > ts and r > s. Because 1 =a* = (a’)S 
(mod n), we have s > r. 

17. Suppose that r is a primitive root modulo the odd prime p. Then r‘?~)/9 # 1 (mod p) for all 
prime divisors gq of p — 1 because no smaller power than the (p — 1)st of r is congruent to 1 
modulo p. Conversely, suppose that r is not a primitive root of p. Then there is an integer t 
such that r’ = 1 (mod p) with t < p — 1. Because t must divide p — 1, we have p — 1=st for 
some positive integer s greater than 1. Then (p — 1)/s =t. Let q be a prime divisor of s. Then 
(p — 1)/q =t(s/q), so that rP—-D/9 = rt(/9) — (r')8/9 = 1 (mod p). 

19. Because 22" + 1=0 (mod F,), then 22” = —1 (mod F,). Squaring gives (22")” = 1 (mod F,). 
Thus, ord 2 < 2"2= gntl 

21. Note that a’ <m =a" — 1 whenever 1 < t <n. Hence, a’ cannot be congruent to 1 modulo m 
when t is a positive integer less than n. However, a” = 1 (mod m) because m = (a” — 1) | (a” — 1). 
It follows that ord,,a =n. Because ord,,a | @(m), we see that n | d(m). 

23. First suppose that pq is a pseudoprime to the base 2. By Fermat’s little theorem, 2? = 2 (mod p), 


so there exists an integer k such that 2? — 2 = kp. Then 2@2—! — 1= 227-2 _ 1 = 24? _ 1. This 
last expression is divisible by 2? -1=M p by Lemma 6.1. Hence, QMp—-1 = 1 (mod M p)> or 
2!@> =2 (mod M p)- Because pq is a pseudoprime to the base 2, we have 2?4 = 2 (mod pq), so 
2?4 = 2 (mod p). But 2°47 = (27)? = 29 (mod p). Therefore, 2? = 2 (mod p). Then there exists 
an integer J such that M, — 1 = 247 — 2 =p. Then QMq-1_ 1 — 924-2 — IP _ 1, s02P —1= M, 
divides 2-1 — 1. Therefore, 2” = 2 (mod M p)- Then we have QM Mg = (2M0)Ma =2@a =2 
(mod M,). Similarly, 2M@rMq = 2 (mod M,). By the Chinese remainder theorem, noting that 
M, and M, are relatively prime, we have 2@>Mq = 2 (mod M,M,). Therefore, M pM, is 

a pseudoprime to the base 2. Conversely, suppose MM, is a pseudoprime to the base 2. 
From the reasoning in the proof of Theorem 6.6, we have that 2M! =2 (mod p). Therefore, 
2M pMq = 2(Mp—1)M,+M, = 2Mq = 2 (mod p). But because M, = 2? — 1=0 (mod M,,), we have 


25. 


27. 
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that the order of 2 modulo M, is p. Therefore, p|M, — 1. In other words, 27 = 2 (mod p). Then 
274 = 21 =2 (mod p). Similarly, 2?? = 2 (mod q). Therefore, by the Chinese remainder theorem, 
2?4 = 2 (mod pq). Therefore, because pq is composite, it is a pseudoprime to the base 2. 


a. Let k be an integer that satisfies all of the congruences. If n = 1 (mod 2), then because 
ord; 2 = 2, we have 2" + k =22"+! — 2! = (2?)"2 —2=1"2 —2=0 (mod 3), so 3| 2" +k. If 
n = 2 (mod 4), then because ord; 2 = 4, we have 2” + k = 24+? — 2? = 2? _ 2? =0 (mod 5), so 
5| 2" +k. Ifn = 1 (mod 3), then because ord, 2 = 3, we have 2” + k = 23"+1_ 21=2-2=0 
(mod 7), so 7| 2” +k. If n = 8 (mod 12), then because ord,3 2 = 12, we have 27+ k= 
glam+8 _ 28 — 28 _ 28 = 0 (mod 13), so 13 | 2" + k. If n = 4 (mod 8), then because ord,, 2 = 8, 
we have 2” + k = 28"+4 _ 94 = 24 — 24 =0 (mod 17), so 17 | 2" + k. If n = 0 (mod 24), then 
because ord 4) 2 = 24, we have 2” + k = 2%" — 29 =1- 1=0 (mod 241), so 241 | 2" + k. So 
if n satisfies any of the above congruences, we see that 2” + k cannot be prime. Let r the least 
nonnegative residue of n modulo 24. If r is odd, then n = 1 (mod 2). If r = 2, 6, 10, 14, 18, or 
22, then n = 2 (mod 4). If r = 4 or 16, then n = 1 (mod 3). If r = 8 or 20, then n = 8 (mod 12). 
If r = 12, then n = 4 (mod 8). If r = 0, then n = 0 (mod 24). This shows that every positive 
integer n must satisfy one of the congruences n = 1 (mod 2), n = 3 (mod 4), n = 1 (mod 3),n =8 
(mod 12), n = 4 (mod 8), andn = 0 (mod 24). So if k simultaneously satisfies all the congruences 
stated in the exercise, then 2” + k must be composite for all positive integersn. _b. Simplifying 
the congruences in part (a) gives us k = 1 (mod 3), k= 1 (mod 5), k= 5 (mod 7), k = 4 (mod 13), 
k = 1(mod 17), and k = —1 (mod 241). Using computational software, we use the Chinese 
remainder theorem to simultaneously solve this system of congruences to get k = 1,518,781 
(mod 5,592,405). Note that the modulus is equal to 3-5-7-13-17-241. Then 2” + 1,518,781 
is composite for all positive integers n. 


Let j =ordy(,)¢. Then e/ = 1 (mod ¢(n)). Because ord, P | o(n), we have e/ = 1 (mod 
ord, P). Then by Theorem 9.2, P*’ = P (modn), so C” | =(P°)" | = P”’ = P (modn) and 
C’’ = P®=C (mod n). 


Section 9.2 

lla.2 b2 «3 dO 

3a2 b4 «8 d.6 e12 = £.22 

5. 2,6, 7,11 

7. 2, 3, 10, 13, 14, 15 

9. By Lagrange’s theorem, there are at most two solutions to x7=1 (mod p), and we know x = +1 
are the two solutions. Because p = 1 (mod 4), 4| (p — 1) = ¢(p), So there is an element x of 
order 4 modulo p. Then x* = (x2)? = 1 (mod p), so x? = +1 (mod p). If x = 1 (mod p), then x 
does not have order 4. Therefore, x? = —1 (mod p). 

11. a. Let f(x) =a,x" +.a,_,x"-!+---ap, and let k be the largest integer such p does not divide 


a;,. Let g(x) = a,x* + a, _ xk! +-++ao. Then f(x) = g(x) (mod p) for every value of x. In 
particular, g(x) has the same set of roots as f(x). Because the number of roots is greater than 
n > k, this contradicts Lagrange’s theorem. Therefore, no such k exists and p must divide every 
coefficient of f(x). _b. Note that the degree of f (x) is p — 2. By Fermat’s little theorem, we have 
thatx?-!-1=0 (mod p), forx = 1, 2,..., p — 1. Further, each x in the same range is a zero for 
(x — 1)(x —2)---(« — p+ 1). Therefore, each x = 1,2,..., p — lis aroot of f(x). Because 
f (x) has degree p — 2 and p — 1 roots, part (a) tells us that all the coefficients of f (x) are divisible 
by p. __c. From part (b), we mow that the constant term of f (x) is divisible by p. The constant 
term is given by f (0) = (—1)(—2)---(-p+ D+ 1=(-)? (p— D!4+- 1=(p— D!41=0 
(mod p), which is Wilson’s theorem. 


690 


13. 


15. 


17. 


19, 
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a. Because qi | ’(p) = p — 1, by Theorem 9.8 there exists o(q;! ) elements of order q;! for 
eachi = 1, 2,..., 7. Let a; be a fixed element of this order. _b. Using induction and Exercise 
10 of Section 9.1, we have ord,,(a) = ord, (ajay - --a,) = ord, (a; ---a,_;) ord ,(@,) =---= 
ord, (a;) - - - ord, (a,) because {ord,,(a;), ord, (az), ..., ord, (a,)} = (qi, ...,@2"} are pairwise 
relatively prime. c.18 

If n is odd, composite, and not a power of 3, then the product in Exercise 14 is TTja1@ -—l,p f= 
)>@-—-1,3-—)(—-1,5-1) > 2-2 =4. So there must be two bases other than —1 and +1. 


a. Suppose that f(x) is a polynomial with integer coefficients of degree n — 1. Suppose 
that x1, x2,---,X, are incongruent modulo p where p is prime. Consider the polynomial 


g(x) = f@)- Dy (s@)) Tigi — x); — x). Note that x, j = 1,2, +++, nis aroot of 
this polynomial modulo p because its value at x; is f(x;) —-[O+0+---+ f(x;) THizj@y - 
X;)(x; — xj) +--+ +0]= f (xj) — f (xj) - 1=0 (mod p). Because g(x) has n incongruent roots 
modulo p, and because it is of degree n — 1 or less, we can easily use Lagrange’s theorem 
(Theorem 9.6) to see that g(x) =0 (mod p) for every integerx. b. 10 

By Exercise 27 of Section 9.1, j | ordg,ye. Here, o(n) = 6(pq) = 4p'q’, so j | $(4p'q') = 
2(p’ — 1)(q’ — 1). Choose e to be a primitive root modulo p’. Then p’ — 1= ¢(p’)|¢(¢(n)), so 
p’ — llordg,,)e. The decrypter needs e/ = 1(mod n), but this choice of e forces j = p’ — 1, which 
will take quite some time to find. 


Section 9.3 


11 
13 


15. 


4, 10, 22 
a2 b2 ¢5 d.2 


-a2 b2 ¢2 d.3 
7. 
9. 


a7 b.3  ¢.21 = d.27 
7, 13, 17, 19 
3; 15, 15,21, 29,33 


Suppose that r is a primitive root of m, and suppose further that x? = 1 (mod m). Let x =r’ 
(mod m) where 0 < t < p — 1. Thenr” = 1 (mod m). Because r isa primitive root, it follows that 
@(m) | 2t so that 2t = kp(m) and t = k(m)/2 for some integer k. We have x =r! = r*9™)/2 — 
rm) /2)k — (—1)* = +1 (mod m), because r?)/? = —1 (mod m). Conversely, suppose that m 
has no primitive root. Then m is not of one of the forms 2, 4, p®, or 2p* with p an odd prime. 
So either 2 distinct odd primes divide m or m = 2°M with M > 1 an odd integer and b > 1 or 
m = 2° with b > 3 orm = 8. If m = 8, note that 3 = 1 (mod 8). In each of the other cases, we have 
@(m) = 2°N with N odd and c > 3. From Theorem 9.12, we know there are at least three solutions 
Y1> Y2s ¥3 to y* = 1 (mod 2°), and certainly z = 1 (mod N) is a solution of x? = 1 (mod N). By 
the Chinese remainder theorem, there is a unique solution modulo 2°N of the system x = y; 
(mod 2°), z= 1(mod N) for i = 1, 2, 3. Because these solutions are distinct modulo m, at least 
one of them is not +1 (mod m). 


By Theorem 9.12, we know that ordy5 = @ (2*) /2. Hence, the gk-2 integers 5/,j7=0,1,---, 
2k-2 _ 1, are incongruent modulo 2k. Similarly, the 2*~? integers —5/, j =0, 1,---, 2*-? —1, 
are incongurent modulo 2*. Note that 5/ cannot be congruent to —5’ modulo 2* where i 
and j are integers, because 5/ = 1 (mod 4) but —5! = 3 (mod 4). It follows that the integers 
15,4633 Cali a ~1, —5, +++, —5* 7-1 are 2k-1 incongruent integers modulo 2°. Because 

¢ (2*) = 2*—! and every integer of the form (—1)%5? is relatively prime to 2*, it follows that every 
odd integer is congruent to an integer of this form with a = 0 or 1 and 0 < 6 = 24-2 — 1. 
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Section 9.4 


1. 


11. 
13. 
15. 
17. 
19. 


21. 


23. 


The values of indsi, i = 1, 2,..., 22 are 22, 2, 16, 4, 1, 18, 19, 6, 10, 3, 9, 20, 14, 21, 17, 8, 7, 
12, 15, 5, 13, 11, respectively. 


. a. 7,18 b.none 
. 8, 9, 20, 21, 29 (mod 29) 
. all positive integers x = 1, 12, 23, 24, 45, 46, 47, 67, 69, 70, 78, 89, 91, 92, 93, 100, 111, 115, 


116, 133, 137, 138, 139, 144, 155, 161, 162, 177, 183, 184, 185, 188, 199, 207, 208, 210, 221, 
229, 230, 231, 232, 243, 253, 254, 265, 275, 276, 277, 287, 299, 300, 309, 321, 322, 323, 331, 
345, 346, 353, 367, 368, 369, 375, 386, 391, 392, 397, 413, 414, 415, 419, 430, 437, 438, 441, 
459, 460, 461, 463, 483, 484, 485, 496, 505 (mod 506) 


. Suppose that x* = —1 (mod p) and let y =ind,x. Then —x is also a solution and by Exercise 8, 


ind,(—x) = ind,(—1) + ind,(x) = (p — 1)/2 + y (mod p — 1). So, without loss of generality, 
we may take 0 < y < (p — 1)/2, or 0 < 4y < 2(p — 1). Taking indices of both sides of 

the congruence yields 4y = ind,(—1) = (p — 1)/2 (mod p — 1), again using Exercise 8. So 
4y = (p — 1)/2+ m(p — 1) for some m. But 4y < 2(p — 1), so either 4y = (p — 1)/2 and so 
p=8y+lor4y =3(p — 1)/2. In this last case, 3 must divide y, so we have p = 8(y/3) + 1. So 
in either case, p is of the desired form. Conversely, suppose p = 8k + 1 and let r be a primitive 
root of p. Take x =r*. Then x4 =r** = (P—D/2 = —] (mod p) by Exercise 8. So this x is a 
solution. 


(1, 2), (0, 2) 

x = 29 (mod 32); x =4 (mod 8) 
(0, 0, 1, 1), (0, 0, 1, 4) 

x = 17 (mod 60) 


We seek a solution to x* = a (mod 2°). We take indices as described before Exercise 11. Suppose 
a = (—1)*58 and x = (—1)”5° Then we have ind x* = (ky, kd) and ind a = (a, B), soky =a@ 
(mod 2) and ké = B (mod 2°~?). Because k is odd, both congruences are solvable for y and 6, 
which determine x. 


First we show that ordy.5 = 2°—?. Indeed, @(2°) = 2°—!, so it suffices to show that the highest 
power of 2 dividing 5°" _ 1 is 2°. We proceed by induction. The basis step is the case e = 2, 
which is true. Note that 52°” — 1 = (52° — 1)(5*”° + 1). The first factor is exactly divisible by 
2°! by the induction hypothesis. The second factor differs from the first by 2, so it is exactly 
divisible by 2, and therefore 5°? _ Lis exactly divisible by 2°, as desired. Hence, if k is odd, 
the numbers +5*, +57... , 452° 7k are 2¢-1 incongruent kth power residues, which is the 
number given by the formula. If 2” exactly divides k, then 5‘ = —5* (mod 2°), so the formula 
must be divided by 2, hence the factor (k, 2) in the denominator. Further, 52” has order 2°~2 {2 
if m < e — 2 and order 1 if m > e — 2, so the list must repeat modulo 2° every ord,.5~” terms, 
whence the other factor in the denominator. 


a. From the first inequality in case (i) of the proof of Theorem 6.10, if n is not square-free, the 

probability is swictly less than 2n/9, which is substantially smaller than (n — 1)/4 for large n. If 
n is square-free, the argument following inequality (9.6) shows that if n has four or more factors, 
then the probability is less than n/8. The next inequality shows that the worst case for n = p,p2 
is when s, = s2 and s, is as small as possible, which is the case stated in this exercise. 

b. 0.24999... 
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Section 9.5 


1. 


We have 2” = 4 (mod 101), 2° = 32 (mod 101), 2!9 = (25)? = 32? = 14 (mod 101), 270= 

(210)2 = 142 = 95 (mod 101), 275 = (25)5 = 325 = (322)232 = 1024232 = 14232 = 196 - 32 

—6 - 32 = —192 = 10 (mod 101), 2°9 = (225)? = 10? = 100 = —1 (mod 101), 2! = (2°%)2 
(101-1) 

(—1)? = 1 (mod 101). Because 2. ¢ #1 (mod 101) for every proper divisor g of 100, and 

because 2{9!—) = ] (mod 101), it follows that 101 is prime. 


3. 233 — 1= 2°29, 3!!6 = —] (mod 233), 38 = 37 ¥ 1 (mod 233) 


. The first condition implies x*»—! = 1 (mod F,). The only prime dividing F, — 1= 2?" is 2, and 


(F,, — 1)/2 = 2?"—1, so the second condition implies 2“’—))/2 4 1 (mod F,,). Then by Theorem 
9.18, F,, is prime. 


7. See [Le80] 
9. Because n — 1= 9928 = 2317 - 73, we take F = 2°17 = 136 and R = 73, noting that F > R. We 


11. 


13. 


apply Pocklington’s test with a = 3. We check (using a calculator or computational software) that 
39928 — | (mod 9929) and (3928/2 — 1, 9929) = 1 and (3998/17 — 1, 9929) = 1, because 2 and 17 
are the only primes dividing F'. Therefore, n passes Pocklington’s test and so is prime. 

Note that 3329 = 2°13 + 1 and 13 < 28 so it is of the form that can be tested by Proth’s test. We 
try 203329-D/2 — 21664 — 1 (mod 3329) (using a calculator or computational software). So Proth’s 
test fails for a = 2. Next we try a = 3 and compute 3/4 = —1 (mod 3329), which shows that 
3329 is prime. 

We apply Pocklington’s test to this situation. Note thatn — 1= hq“, so we let F = q* and R=h 
and observe that by hypothesis F > R. Because q is the only prime dividing F, we need only 
check that there is an integer a such that a*~! = 1 (mod n) and (a—-/4 — 1, n) = 1. But both of 
these conditions are hypotheses. 


Section 9.6 


11. 


. Suppose that ax = b (mod m). Multiplying both sides of this congruence by a 


.a.20 b.12 36 4.48 €.180 £.388,080 g.8640 _ h.125,411,328,000 
. 65,520 
. Suppose that m = 2%pi!--+ p?’. Then A(m) = [A(2%), d(pi), ..., 6(ps’)]. Furthermore, 


o(m) = (2)b(p') .-- o(p2). Because A(2%) = 1, 2, or 2-2 when fy = 1, 2, or fo > 3, 
respectively, it follows that 4(2') | (2) = 2-1. Because the least common multiple of a 
set of numbers divides the product of these numbers, or their multiples, we see that A(m) | d(m). 


. For any integer x with (x, n) = (x, m) = 1, we have x* = 1 (mod n) and x? = 1 (mod m). Then 


the Chinese remainder theorem gives us x° = 1 (mod [n, m]). But because n is the largest integer 
with this property, we must have [n, m]=n, so m|n. 

Mm)—-1 gives 
a*(™) y = q*™)—1b (mod m). Because a*™) = 1 (mod m), it follows that x = a*“)—1b (mod m). 
Conversely, let x9 = a*™)—1b (mod m). Then axp = aa*?™ —1b = a*™ b = b (mod m), so xq isa 
solution. 


a. First suppose that m = p®. Then we have x(x°—! — 1) =0 (mod p*). Let s be a primitive root 
for p%; then the solutions to x°—! = 1 are exactly the powers s* with (c — 1I)k = 1 (mod ¢(p*)), 
and there are (c — 1, @(p%)) of these. Also, 0 is a solution, so we have 1+ (c — 1, (p*)) 
solutions all together. Now if m = D. - ++ p?r, we can count the number of solutions modulo Pp; 
for each i. There is a one-to-one correspondence between solutions modulo m and the set of r- 
tuples of solutions to the system of congruences modulo each of the prime powers. _b. Suppose 
(c — 1, #(m)) = 2, then c — 1 is even. Because ¢(p”) is even for all prime powers, except 2, we 


13. 


15. 


17. 


Answers to Odd-Numbered Exercises 693 


have (c — 1, o( P;')) = 2 for each i. Then by part (a), we have the number of solutions = 3”. If 2! 
is a prime factor, then (mm) = @(m/2), and because x° and x have the same parity, x is a solution 
modulo m if and only if it is a solution modulo m/2, so the result still holds. 


Let n = 3pq, with p <q odd primes, be a Carmichael number. Then by Theorem 9.27, 

Pp — 1|3pq —1=3(p — 1)q + 3q — 1, s0 p — 1|3q — 1, say, (p — la = 3g — 1. Because q > p, 
we must have a > 4. Similarly, there is an integer b such that (q — 1)b = 3p — 1. Solving these 
two equations for p and q yields g = (2a + ab — 3)/(ab — 9) and p = (2b + ab — 3)/(ab — 9) = 
1+ (2b+ 6)/(ab — 9). Then because p is an odd prime greater than 3, we must have 
4(ab — 9) < 2b + 6, which reduces to b(2a — 1) < 21. Because a > 4, this implies that b < 3. 
Then 4(ab — 9) < 2b+ 6< 12, soab < 21/4, soa <5. Therefore, a = 4 or 5. If b = 3, then the 
denominator in the expression for q is a multiple of 3, so the numerator must be a multiple of 3, 
but that is impossible because there is no choice for a that is divisible by 3. Thus, b = 1 or 2. The 
denominator of q must be positive, so ab > 9, which eliminates all remaining possibilities except 
a =S, b=2, in which case p = 11 and gq = 17. So the only Carmichael number of this form is 
561 = 3-11-17. 


Assume q < r. By Theorem 9.23, gq — 1|pqr — 1=(q — 1)pr+ pr — 1. Therefore, g — 1|pr —1, 
say, a(q — 1) = pr — 1. Similarly, b(r — 1) = pq — 1. Because q <r, we must have a > b. 
Solving these two equations for q and r yields r = (p(a — 1) + a(b — 1))/(ab — p’) and 

q = (p(b — 1) + b(a — 1) /(ab — p’) =1+ (p? + pb — p —b)/(ab—- p’). Because this 

last fraction must be an integer, we have ab — p < p + pb — p —b, which reduces to 
a(b — 1) < 2p? + p(b—1) or a—1< 2p?/b + p(b — 1)/b < 2p? + p. So there are only 
finitely many values for a. Likewise, the same inequality gives us b(a — 1) <2p?+ pb— p 
or b(a — 1— p) < 2p* — p. Because a > b and the denominator of the expression for g must 
be positive, we have thata > p+ 1. Ifa = p+ 1, we have (p+ 1)(q —-1)=pq-—p+q-1= 
pr — 1, which implies that p|q, a contradiction. Therefore, a > p+1, and soa—1-—pisa 
positive integer. The last inequality gives us b < b(a — 1— p) < 2p? — p. Therefore, there are 
only finitely many values for b. Because a and b determine q and r, we see that there can be only 
finitely many Carmichael numbers of this form. 


We have q,,(ab) = ((ab?™ — 1)/n = (PORO — FO — WM 4.14 0 + HM _— 2)/n = 
(a ™ — (YP — 1)/nt+ (a™ — 1) 4 (b™ — 1)/n = q,(a) + gn(b) (mod n). At the last 
step, we use the fact that n? must divide (a*™ — 1)(b*™ — 1), because A(n) is the universal 

exponent. 


Section 10.1 


15. 


1. 69, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 05, 02, 00, 00, 00, ... 
3. 10 

5. 
7 
9 


a.a=1(mod 20) b.a =1(mod 30030) c¢.a=1(mod111111) d.a=1(mod 2 — 1). 


. a.31— -b. 715,827,882 ¢.31 dd. 195,225,786  e. 1,073,741,823 _ f. 1,073,741,823 
. 8, 64, 15, 71, 36, 64, 15, 71, 36, ... 

11. 
13. 


First we find that ord778 is 10. Because ord;2 = 4, the period length is 4. 


Using the notation of Theorem 10.4, we have ¢(77) = 60, so ord77%9 is a divisor of 60 = 273 - 5. 
Then the only possible values for s are the odd divisors of 60, which are 3, 5, and 15. Then we 
note that 2? = 1 (mod 3), 24 = 1 (mod 5), and 24 = 16 = 1 (mod 15). In each case we have shown 
that ord,2 < 4. Hence by Theorem 10.4, the maximum period length is 4. 


1, 24, 25, 18, 12, 30, 11, 10, 21 
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17. Check that 7 has maximal order 1800 modulo 22> — 1. To make a large enough multiplier, raise 7 
to a power relatively prime to #(22° — 1) = 32,400,000, for example, to the 11th power. 


19. 665 
21. a. 8, 2, 8, 2,8,2,... b.9, 12, 6, 13, 8, 18, 2, 4, 16, 3, 9, 12,6,... 


Section 10.2 


1. We select k = 1234 for our random integer. Converting the plaintext into numerical equiv- 
alents results in 0700 1515 2401 0817 1907 0300 2423, where we filled out the last block 
with an X. Using a calculator or computational software, we find y = r* = 6!234 = 517 
(mod 2551). Then for each block P, we compute 6 = P - bk = P . 33!234 = P . 651 (mod 2551). 
The resulting blocks are 0700 - 651 = 1622 (mod 2551), 1515 - 651 = 1579 (mod 2551), 
2401 - 651= 1839 (mod 2551), 0817 - 651 = 1259 (mod 2551), 1907 - 651 = 1671 (mod 2551), 
0300 - 651 = 1424 (mod 2551), and 2423 - 651 = 855 (mod 2551). Therefore, the ciphertext is 
(517, 1622), (517, 1579), (517, 1839), (517, 1259), (517, 1671), (517, 1424), (517, 855). To 
decrypt this ciphertext, we compute y?~!~¢ = 51729!-!-3 = 5172537 = 337 (mod 2551). Then 
for each block of the cipher text, we compute P = 337 - 6 (mod 2551). For the first block, we 
have 337 - 1622 = 0700 (mod 2551), which was the first block of the plaintext. The other blocks 
are decrypted the same way. 

3. RABBIT 


5. (y, 5) = (2022, 833); to verify this signature, we compute V, = 2022833801202? = 1014 = 3823 = 
V2 (mod 2657) using computational software. 


7. Let 5; = P,b* and 5, = P)b* as in the ElGamal cryptosystem. If P; is known, it is easy to compute 
an inverse for P; modulo p. Then bk= P68; (mod p). Then it is also easy to compute an inverse 
for b* (mod p). Then P,= BES, (mod p). Hence, the plaintext P, is recovered. 


Section 10.3 
la8S& b5 «2 d.6 e30 = £f.20 


3. a. At each stage of the splicing, the kth wire of one section is connected to the $(k)th wire, where 
S(k) is the least positive residue of 3k — 2 (mod 50). __b. At each stage of the splicing, the kth 
wire of one section is connected to the $(k)th wire, where S(k) is the least positive residue of 
21K +56(mod 76).  c. At each stage of the splicing, the kth wire of one section is connected 
to the $(k)th wire, where S(k) is the least positive residue of 2k — 1 (mod 125). 


Section 11.1 

loal b1,4 ©1,3,4,9,10,12 d.1,4,5,6,7,9, 11, 16,17 

3. 1,-1, -1,1 

5. a. (4) = 7011/2 = 75 =492.7=5?.7=3-7=-1(mod 11) b. (7, 14, 21, 28, 35) = 
(7, 3, 10, 6, 2) (mod 11) and three of these are greater than 11/2, so (2) =(-1)3=-1 


7. We have (3) = ($1) (2) by Theorem 11.4. Using Theorems 11.5 and 11.6, we have: If 


p= 1 (mod 8) then, (=2) = (1)() = L.If p= 3 (mod 8), then (=2 2) =(- )(-l) =L If p=-1 
(mod 8), then (=2 2) =(- 1)(1) = -1. If p = —3 (mod 8), then (=? 2) = (y(- ipa 


9. Because p—1=—1, p—2=-2,...,(p+1)/2=—(p — })/2 (mod p), we have ((p — 1)/ 
2)? = -—( p — 1)!=1 (mod p) by Wilson’s theorem. (Because p = 3 (mod 4), we have that 


11. 


13. 
15. 


17. 


19. 
21. 
23. 


25. 
27. 


29. 
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(p — 1)/2 is odd, so that (—1)@-)/2 = —1.) By Euler’s criterion, ((p — 1)/2)!?-)/2 = 
(4) 2) vee e012) = (—1)' (mod p), by definition of the Legendre symbol. Because 
((p — 1)/2)! = +1 (mod p), and (p — 1)/2 is odd, we have the result. 


If p= 1 (mod 4), (=2) = (=!) (¢) =1-1=1 If p =3 (mod), (=2) = (+) (2) = 
(-1)-1=-1. 
a.x =2o0r4(mod7) b.x=1(mod7)_ c.no solutions 


Suppose that p is a prime that is at least 7. At least one of the three incongruent integers 2, 3, and 
6 is a quadratic residue of p, because if neither 2 nor 3 is a quadratic residue of p, then 2 - 3 = 6 is 
a quadratic residue of p. If 2 is a quadratic residue, then 2 and 4 are quadratic residues that differ 
by 2; if 3 is a quadratic residue, then 1 and 3 are quadratic residues that differ by 2; while if 6 is a 
quadratic residue, then 4 and 6 are quadratic residues that differ by 2. 


a. Because p = 4n + 3, 2n +2= (p+ 1)/2. Then x? = (4a"+})? = g?"+2 = gPtD/2 = 
a’?—-)/2q =1-.a =a (mod p), using the fact that a‘?—)/2 = 1 (mod p), because a is a quadratic 
residue of p. By Lemma 11.1, there are only these two solutions. b. By Lemma 11.1, there are 
exactly two solutions to y* = 1 (mod p), namely, y = +1 (mod p). Because p = 5 (mod 8), —1 
is a quadratic residue of p and 2 is a quadratic nonresidue of p. Because p = 8n + 5, we 
have 4n + 2 = (p — 1)/2 and 2n + 2 = (p + 3)/4. Then (ta”+})? = a?+9)/4 (mod p) and 
(4220+ 1gntl)2 = 2(p—D/2q(Pt3)/4 = —g(P+3)/4 (mod p) by Euler’s criterion. We must show that 
one of a‘?+3)/4 or —q?+3)/4 = a (mod p). Now, a is a quadratic residue of p, so a‘?—)/2 = 1 
(mod p) and therefore a‘?—)/* solves x2 = 1 (mod p). But then a’?—)/4 = +1 (mod p), that is, 
a‘P+3/4 = +a (mod p) or ta?+9)/4 = a (mod p), as desired. 


x = 1, 4, 11, or 14 (mod 15) 
47, 96, 135, 278, 723, 866, 905, 954 (mod 1001) 


If x2 =a (mod p°t}), then x2 = a (mod p®). Conversely, if x2 = a (mod p?), then x2 = a + bp® 
for some integer b. We can solve the linear congruence 2x9y = —b (mod p), say, y = yo. 
Let x; = x9 + yop*®. Then te = xe + 2xpypp* =a t+ p*(b + 2xpyo) =a (mod p**!) because 

p | 2xoyo + b. This is the induction step in showing that x? = a (mod p®) has solutions if and 
only if (5) =1. 


a4 b8 c0 d.16 


Suppose pj, P2,---, P, are the only primes of the form 4k + 1. Let N = 4(p,p2--+ py)? +1. 
Let q be an odd prime factor of N. Then q #4 p;,i=1,2,...,n, but N =0(modq), so 
A(p\p2°-: Pn)? = —1 (mod q) and therefore (3) = 1, sog = 1 (mod 4) by Theorem 11.5. 


Let b,, bz, b3, and by be four incongruent modular square roots of a modulo pq. Then each 
b; is a solution to exactly one of the four systems of congruences in the text. For convenience, 
let the subscripts correspond to the lowercase Roman numerals of the systems. Suppose two of 
the b;’s were quadratic residues modulo pq. Without loss of generality, say bj = y? (mod pq) 
and b, = y3 (mod pq). Then from systems (i) and (ii), we have that y? = b, = x2 (mod q) and 
y3 = by = —x2 (mod q). Therefore, both x2 and —x, are quadratic residues modulo q, but this is 
impossible because g = 3 (mod 4). The other cases are identical. Next we show that one of the 
modular square roots is a quadratic residue. Because a is a quadratic residue modulo p, there 
exists b such that (+b)* =a (mod p). Likewise, there exists c such that (+c)? = a (mod q). One 
of b or —b is a quadratic residue modulo p, by Exercise 11. Without loss of generality, suppose 
b = d? (mod p). Likewise, suppose c = e? (mod q). Solve the system of congruences x = d 
(mod p), x =e (mod q). Then x* = b (mod p) and x2 = c (mod q). Thus, x? satisfies one of the 
four congruences in the text and hence must be one of the b;. Therefore, this b; is a quadratic 
residue modulo pq. 
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31. 


33. 


35. 


37. 


39. 


41. 


43. 


45. 


47. 


49. 


51. 


53. 
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Let r be a primitive root for p and leta =r* (mod p) and b=r' (mod p) with 1 <s,t < p—1. 
If a= b (mod p), then s = t and so s and t have the same parity. By Theorem 11.2, we have part 
(i). Further, we have ab = r‘* (mod p). Then the right-hand side of (ii) is 1 exactly when s and 
t have the same parity, which is exactly when the left-hand side is 1. This proves part (ii). Finally, 
because a? = r25 (mod p) and 2s is even, we must have that a isa quadratic residue modulo p, 
proving part (iii). 


If r is a primitive root of q, then the set of all primitive roots is given by {r* : (k, 6(q)) = (k, 2p) = 
1}. So the p — 1 numbers {r* :k is odd and k # p, 1 < k < 2p} are all the primitive roots of q. 
On the other hand, g has (q — 1)/2 = p quadratic residues, which are given by {r2, r+,...,7r?P }. 
This set has no intersection with the first one. 


First suppose p = 22" + 1 is a Fermat prime and let r be a primitive root for p. Then 6(p) = 2””. 
Then an integer a is a nonresidue if and only if a = r* with k odd. But then (k, ¢(p)) = 1, soa is 
also a primitive root. Conversely, suppose that p is an odd prime and every quadratic nonresidue 
of p is also a primitive root of p. Let r be a particular primitive root of p. Then r* is a quadratic 
nonresidue and hence a primitive root for p if and only if k is odd. But this implies that every odd 
number is relatively prime to @(p), so @(p) must be a power of 2. Thus, p = 2? + 1 for some b. 
If b had a nontrivial odd divisor, then we could factor p as a difference of b powers, contradicting 
the primality of of p. Therefore, b is a power of 2 and so p is a Fermat prime. 


a. We have g = 2p + 1= 2(4k +: 3) + 1=8k +7, s0 (2) = 1 by Theorem 11.6. Then by Euler’s 
criterion, 2@—)/2 = 2? = 1 (mod q).Therefore,q | 2? —1. b.11=4(2) + 3and23=2(11) +1, 
so 23 | 2!! — 1= Mj,, by part (a); 23 = 4(5) +3 and 47 = 2(23) + 1, so 47 | Mp3; 251 = 4(62) + 3 
and 503 = 2(251) + 1, so 503 | M251. 


Let q = 2k + 1. Because qg does not divide 2? + 1, we must have, by Exercise 38, that k = 0 or 3 

(mod 4). That is, k = 0, 3, 4, or 7 (mod 8). Then q = 2(0, 3, 4, or 7) + 1=+1 (mod 8). 

Note that (22) = (4g:2 ) 1 (44:2) — (42) because j? is a perfect square. Then 
—2 ( jt —2 ( 7+1 -1(j -1(j 

ye (42) = =1 (2) = (4) = a1 (4) — 1=~—1. Here we have used the 

method in the solution to Exercise 10 to evaluate the last sum, and the fact that as j runs through 

the values 1 through p — 2, so does j. 


Let r be a primitive root of p. Then x? = a (mod p) has a solution if and only if 2 ind,x = ind,a 
(mod p — 1) has a solution in ind,x. Because p — 1 is even, the last congruence is solvable if and 


only if ind,a is even, which happens when a = r2,r4,...,7r?71, ie., (p — 1)/2 times. 


q = 2(4k + 1) +: 1= 8k + 3, so 2 is a quadratic nonresidue of g. By Exercise 33, 2 is a primitive 
root. 


Check that g = 3 (mod 4), so —1 is a quadratic nonresidue of q. Because 4 = 27, we have 


(=) = ($4) (=) = (—1)(1) = —1. Therefore, —4 is a nonresidue of g. By Exercise 33, —4 is 


a primitive root. 


a. By adding (2b)? to both sides, we complete the square. b. There are four solutions to 
x2 = C +a (mod pq). Fromeach, subtract 2b. c. DETOUR 


a. By noting this, the second player can tell which cards dealt are quadratic residues, because the 
ciphertext will also be quadratic residues modulo p. _ b. All ciphers will be quadratic residues 
modulo p. 


1, 3,4 


Answers to Odd-Numbered Exercises 697 


Section 11.2 
la—-l b1lo«.léda1éieatléifi 


3. If p = 1 (mod 6), there are 2 cases: If p = 1 (mod 4), then (=1) = = land (2) = (4) = (3) =-1. 


So (=2) = 1. If p =3 (mod 4), then (=1) = —1and (3) = - (§), 80 ($3) = )(-1 = 1. If 
= —1(mod 6) and p = 1 (mod 4), then (=3) = (3 3) = -(§) = (51) =-L tp =3 
(— 


int, (2) = (2) (2) = (8) 08) =( 

5. p = 1, 3, 9, 19, 25, or 27 (mod 28) 

7. a. F)=2? +1=5. We find that 31~)/2 = 36-)/2 — 32 = 9 = —1 (mod F)). Hence by Pepin’s 
test, we come (to the already obvious) conclusion that F,; =5is prime. b. F3 = 22° + 1= 257. 
We find that 373—)/2 = 3257-D/2 — 3128 — (38) 16 = 13616 = (136*)4 = 644 = (642)? = 2417 = 
256 = —1 (mod 257). Hence by Pepin’s test, F; = 257 is prime. _¢, 337768 = 3255-1283128 — 
941283128 — _) (mod F;). 

9. a. The lattice points in the rectangle are the points (i, 7) where 0 <i < p/2 and 0 < j <q/2. 
There are the lattice points (i, j) withi = 1,2,..., (p—1)/2 and j = 1,2,..., (q — 1)/2. 
Consequently, there are (p — 1)/2- (q — 1)/2 such lattice points. _b. The points on the diagonal 
connecting O and C are the points (x, y) where y = (q/p)x. Suppose that x and y are integers 
with y = (q/p)x. Then py = qx. Because (p, q) = 1, it follows that p | x, which is impossible 
if 0 <x < p/2. Hence, there are no lattice points on this diagonal. _c. The number of lattice 
points in the triangle with vertices O, A, and C is the number of lattice points (i, j) with 
i=1,2,...,(p—1)/2 and 1 < j <iq/p. For a fixed value of i in the indicated range, there 
are [iq/p] lattice points (i, j) in the triangle. Hence, the total number of lattice points in the 
triangle is aa 1 Df "ti q/p)\.  d. The number of lattice points in the triangle with vertices O, 
B, and C is the number of lattice points (i, j) with j = 1,2,..., (q — 1)/2 and1<i < jp/q. 
For a fixed value of j in the indicated range, there are [jp/q] lattice points (i, j) in the triangle. 
Hence the total number of lattice points in the triangle is ae Al jp/q\. . Because there are 
(p — 1)/2- (q — 1)/2 lattice points in the rectangle, and no points on the diagonal OC, the sum of 
the numbers of lattice points in the triangles OBC and OAC is (p — 1)/2- (q — 1)/2. By parts (b) 
and (c), it follows that Be ”/1 jq/p\+ Be *Lip/al = (p — 1)/2- (q — 1)/2. By Lemma 


11.3, it follows that (2) = (—)7 and (2) = (-1)7@P) where T(p, q) = oe? Lip/al 
and T(q, p) = yy > Lia/pl- We conclude that (2) (4) = (—1)-)/2-G-/2. This is the 
law of quadratic reciprocity. 
11. First suppose a = 2. Then we have p = +q (mod 8) and so (4) = (2) by Theorem 11.6. 
Now suppose a is an odd prime. If p = q (mod 4a), then p = q (mod a) and so (£) = (2). 
And because p = q (mod 4), (p — 1)/2 = (q — 1)/2 (mod 2). Then by Theorem 11.7, (2 
(2) -D@-/2-@-D? = (2) (-N@-Y/7-@-D? = () . But if p = —q (mod 4a), then p = —q 
(mod a) and so (2 2.) = (2). And because p = —q (mod 4), (p — 1)/2= (g — 1)/2 + 1 (mod 2). 
Then by Theorem 11.7, (4) = (2) (-D@-D/2@-D/2 = (= ) Hye DADe-D7 = 
(3) (-1)@-Y? (4) = (¢) . The general case follows from the multiplicativity of the Legendre 


symbol. 
13. a. Recall that e*! = 1 if and only if x is a multiple of 27. First, we compute (e27!/™*)" — 
e2mi/n)nk — (gQmi)yk — 1k — ], 59 e@ti/Mk ig an nth root of unity. Now, if (k, n) = 1, then 


as) 
Sa ps 
lI 
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((2xi/n)k)a is a multiple of 27i if and only if n|a. Therefore, a =n is the least posi- 
tive integer for which (e27i/n)kya — 1, Therefore, e27!/™* is a primitive nth root of unity. 
Conversely, suppose (k,n) =d > 1. Then (e@7#/™k)(@/4) — g@mi)k/d — |, because k/d is an 
integer, and so in this case e?7!/”)* is not a primitive nth root of unity. b. Let m =1+kn 
where k is an integer. Then ¢” = ¢!+#" — ¢!¢kn — ¢!. Now suppose ¢ is a primitive nth 
root of unity and that ¢” = ¢!, and without loss of generality, assume m > /. From the first 
part of this exercise, we may take 0 <1 <m <n. ThenO=¢" — ¢! =¢'(¢™—! — 1). Hence, 
¢™—! — 1. Because n is the least positive integer such that ¢” = 1, we must havem —1=0. ec. 
First, f(z + 1) = e271@+D _ e-2mi@+)) — p2mizg2mi _ g-2mizg—2ni — 92mizy _ g~2niz] — f(z), 
Next, f(—z) = e727! — e272 — _ (em iz _ e—2niz) — _ f(z), Finally, suppose f(z) = 0. Then 
O = e272 _ 9 2miz — g—2miz(e4miz _ 1), go e47!2 = 1. Therefore, 4aiz = 2min for some in- 
tegern, andso z=n/2._ d. Fix y and consider g(x) = x” — y” and h(x) = (x — y)(fx — 
cualy).--(¢* ly — ¢- @ Dy) as posponua: in x. Both polynomials have degree n. The lead- 
ing coefficient in h(x) is ¢}+2+-+"—-1 = cn@—D/2 — (¢)@—D/2 = |, because n — 1 is even. So 
both polynomials are monic. Further, note that g(¢ 2k yy = (¢—2kyyn — y" = y" — y" = 0 for 
k=0, 1,2,...,n —1. Also, h(¢~**y) has (¢£¢-**y — ¢-*y) = (¢ *y — ¢-*y) = 0 as one of 
its factors. So g and h are monic polynomials sharing these n distinct zeros (because —2k runs 
through a complete set of residues modulo n, by Theorem 4.7) By the fundamental theorem of 
algebra, g and / are identical. 

e. Let x = e?"'2 and y = e~?"!2 in the identity from part (d). Then the right-hand side be- 


comes [Tj9 (¢*e7™% — Ce Faiz) = [PPT y (emi ett/™) — ePxi@tt/m) TTT f (: 7) ~ 
k ee , 
fOTKS a (z+ *) ie =(nty/2 F (< + *) . From the identities in part (c), this last prod- 
- k (n—1)/2 n—k (n—1)/2 k 
uct becomes Mchena f(z+*) =I f Arras =], ° f{zt1- rs = 
fe k = 
Vane 2 a (<- *). So the product above is equal to f(z) Es Di f (< + *) Ne fa 2 


s(: = *) =f 1%)” s(z + *) f (2 - *) . Then noting that the left side of the 
n n 


identity in part (d) is (e?7!2)" — (e~27!z)" — e2minz _ ¢—2minz — f(nz) finishes the proof. 
f. For /= 1, 2,..., (p —1)/2, let k; be the least positive residue of la modulo p. Then 


i ye ie (=) = ee Di? f (= by the perodicity of f established in part (c). We break 
this product into two pieces Hy<py2 vA () Tag>ps2 f (=)- Tk,<p/2 f (=) Tk,>p/2 
p—k -1/2 : 

-1(= st) = Mi<pp2 #(# ‘) Ti>p/2 ia ( ; ‘) = ne yf (=) (-1)", where N is 


the number of k; exceeding p/2. But by Gauss’ lemma, (-1)% = (2) . This establishes the 


identity. g. Let z=//p andn=q in the identities in parts (e) and (f). Then we have 4) = 


p—D/D ¢ (2) hs (< - (p-D/2 ya D/2 (< a *) f (< = = = oon 
P 4 P 4 
ce Bie f(- ign oS . — a) (—1)P-D/2-@-D/2. where we have used the fact that 
f (—z) = —f (z) and the fact that there are exactly (p — 1)/2- (q — 1)/2 factors in the dou- 
ble product. But, by symmetry, this is exactly the expression for (2 ) (—1)0-D/2-@-D/2 which 


completes the proof. 


15. 


17. 
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Because p = 1 (mod 4), we have (4) = (2) . And because p = 1 (mod q) for all primes 


q < 23, then (2) = (7) = 1. Then if a is an integer with 1 < a < 29 and prime factorization 


a = Pip2--- px, then each p; < 29 and (2) = (2) wae (2) = 1* = 1. So there are no quadratic 
nonresidues modulo p less than 29. Further, because a quadratic residue must be an even power 


of any primitive root r, then r! cannot be less than 29. 


a. Ifa € T, then a = gk for some k = 1, 2,...(p — 1)/2.Sol<a<q(p — 1)/2 < (pq — 1)/2. 
Further, because k < (p — 1)/2, and p is prime, we have (p, k) = 1. Because (q, p) = 1, 
then (a, p) = (qk, p) =1, so a€ S, and hence T C S. Now suppose a € § — T. Then 
1<a < (pq — 1)/2 and (a, p) = 1, and because a ¢ T, thena # gk for any k. Thus, (a, g) = 1, 
so (a, pq) = 1, and soa € R. Thus, S — T C R. Conversely, if a € R, then 1<a < (pq — 1)/2 
and (a, pq) = 1, so certainly (a, q) = 1, and soa is not a multiple of g, and hence a ¢ T. Hence, 
aéS-—T. Thus, Rc S —T. Therefore, R= S—T._ b. Because by part (a), R= S — T we 


have [ges @= Teer 4 Maer @= AQ: 24 «++ ((p — 1)/2)a) =Ag?-?”? ((p — 1)/2)!= 
A (4) ((p — 1)/2)! (mod p) by Euler’s criterion. Note that (pq — 1)/2 = p(q — 1)/2+ (p— 
Pp 


1)/2, so that we can evaluate [],<5 a = ((p — 1))@-/? ((p — 1)/2)!=(-N@-””? ((p — 1)/2)! 
(mod p) by Wilson’s theorem. When we set these two expressions congruent to each other 
modulo p and cancel, we get A = (—1)9-)/? (2), as desired. _c. Because the roles of p and 
q are identical in the hypotheses and in parts (a) and (b), the result follows by symmetry. d. 
Assume that (—1)9-)/2 (4) = (—1)-D/? (2). By part (b), A = +1 (mod p), and by part (c), 
A = +1 (mod q). So by the Chinese remainder theorem, we have A = +1 (mod pq). Conversely, 
suppose A = 1 (mod pq). Then A = 1 (mod p) and A = 1 (mod q). Then by parts (b) and (c), 
we have (—1)9-)/2 (4) = A=1(mod p) and (—1)?—)/2 (2) = A=1(mod q). We conclude 


that (—1)9-)/2 B = (-1)-D/2 (2) , because each side is equal to 1. A similar argument 
works if A= —1(mod pq). __e. If a is an integer in R, it is in the range 1 < a < (pq — 1)/2 and 
therefore its additive inverse modulo pq is in the range (pq + 1)/2 < —a < pq — 1 in the set of 
reduced residue classes. By the Chinese remainder theorem, the congruence a” = 1 (mod pq) has 
exactly four solutions, 1, —1, b, and —b (mod pq), and the congruence a” = —1(mod Pq) has 
solutions if and only p = q = 1 (mod 4), and in this case it has exactly four solutions i, —i, ib, 
and —ib (mod pq). Now for each element a € R, (a, pq) = 1, so a has a multiplicative inverse 
v. By the remark above, exactly one of v, —v is in R. We let U be the set of those elements that 
are their own inverse or their own negative inverse, that is, let U = {a € R|a? = +1 (mod pq)}. 
Then when we compute A, all other elements will be paired with another element that is either 
its inverse or the negative of its inverse. Thus, we have A = I] az=t I] a (mod pq). So if 
aeR acU 
P=q=1(mod pq), then A=+ I] a=+(1-b-i-ib) =b*i? = +1 (mod pq). Conversely, in 
acU 
the other case, A = I] a= +(1-c) #+1 (mod pq), which completes the proof. f. By parts 


acU 


(d) and (e), we have that (—1)@~ )/2 (4) = (—1)@-DP () if and only if p = q = 1 (mod 4). 
So if p =q = 1 (mod 9), we have (4) = (2).Bu if p = 1 (mod 4) while g = 3 (mod 4), then 


we must have — (4) ae (2), which means we must change the sign and have (4) = (2). 
Pp q Pp q 
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The case where p = 3 (mod 4) but g = 1 (mod 4) is identical. If p = gq = 3 (mod 4), then we must 


have — (4) zx (4) so that we must have — (4) = (2). which concludes the proof. 
P q Pp q 


Section 11.3 


11. 


13. 
15. 


17. 


al b-1l c1 dloe-i1 f.1 

1, 7, 13, 17, 19, 29, 37, 49, 61, 67, 71, 77, 83, 91, 101, 103, 107, 113, or 119 (mod 120) 

The pseudo-squares modulo 21 are 5, 17, and 20. 

The pseudo-squares modulo 143 are 1, 3, 4, 9, 12, 14, 16, 23, 25, 27, 36, 38, 42, 48, 49, 53, 56, 
64, 69, 75, 81, 82, 92, 100, 103, 108, 113, 114, 126, and 133. 

Because n is odd and square-free, n has prime factorization n = p;p2--- p,. Let b be one of the 
(p; — 1)/2 quadratic nonresidues of p,, so that (4) = —1. By the Chinese remainder theorem, 
let a be a solution to the system of linear congruences 


x =b (mod pj) 
x =1(mod p>) 
x =1(mod p,). 


me) =(8) = (8) = (8) =o) “(B= 


Therefore, (2) = (*) (£)---(#)=(C-1---1=-1. 


a. Note that (a, b) = (b, r}) = (1, r2) = +++ = (Tn_-1, Tn) = 1 and because the q; are even, 
the r; are odd. Because rp = b and a = €,r; (mod b), we have (¢) = (24) = (2) (2) = 


ro TO ut) 
(2) (2) (—1)(0-D/2.-)/2 py Theorem 11.11. Ife, = 1, then (2) = (—1)%o-D/2ar-D/2 (22) 
If €,; = —1, then (2) = = (—1)’0-)/? and we have (¢) = (—1)o-D/2- 1/2 (22) = 


ry, 
(—1)0-D/2-Cn-D/2 (22) = (—1)%0-D/2-(qn-)/2 (22), because (7, + 1)/2 and (—r; — 1)/2 
have the same parity. Similarly, (2) = = (—1)%-D/2-2n—1)/2 (2), 
so ($) = a 1) @o—D/2-11-D/2401-D/2-2r2—-D/2 (2). Proceed inductively until the last step, 


a )=(2 y=t b. If either 7;_; = 1 (mod 4) or e;r; = 1 (mod 4), then (7;_,; — 1)/2- 


-1 Th-1 
(€qr; — 1/23 is even. Otherwise, that is, if r;_; = €;r; = 3 (mod 4), then (7;_, — 1)/2- (6,7; — 1/2 
is odd. Then the exponent in part (a) is even or odd as T is even or odd. 


a.—l1 b-1 cl 
Let ny = pip,” - ++ p® andn2 = q'gy? vee gis be the prime factorizations of n, and ny. Then by 
a a, b b, 
the definition of the Kronecker symbol, we have (545) = (+) rete (+) (+) me (2) = 
a\(a 
@) (x). 


If a is odd, then by Exercise 16, we have (+) = (7). By Theorem 11.10(), we have 


lal la| 


s >2 and t odd, Exercise 16 gives (2) = (2) (—1)¢-D/2-@u-D/2 (7) and (+) = 


1 


(4) = (73) = (+), using Exercise 16 again. If a is a multiple of 4, say, a = 2°t with 


19. 
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I [| 
4 | a, n; =np (mod 4), and so (—1)¢-)/2-1-D/2 — (—1)¢-D/2-2—-D/2., Now a = 0 (mod 4), so 
2 
ng 


(2 .)" (-1)¢-D/2-@2-D/2 (it). Because n, =n (mod | t |), we have (H)= = ( ji). and because 


2 2 
s >2.Ifs is 2, then certainly (2 = .If s > 2, then 8| a and n; =n (mod 8), so 


2_ 2_ 
(2) = (-F-DB = (1) -DB (2). iheeetare, (2) a (2). 
If a = 1 (mod 4), then |a| = 1 (mod 4) ifa > 0 and |a| = —1 (mod 4) ifa < 0, so by Exercise 16 we 
have (ga :)= (4:7) = (a)= = (—1)(4l-D/? = 1ifa > Oand = —1lifa <0. Ifa =0 (mod 4), 
a = 2°t with t odd and |t| > 3, then by Exercise 16 (ait :)= (ais i) (-1)¢- 1)/2 (44 ‘), Be- 
= = (2 (lal-1) — 
ait) =1 (la|—-1=7 (mod 8) ifs > 2). Also, (—)'-9? (lit) = 


(—pe-D2 (7)= = (—1)¢-D/2+(tl-D/2 — 1 if > O and = lift <0. 


cause s > 2, check that (a 


Section 11.4 


1. 


We have 261-1)/2 — 7280 _ (210) — (_-9g)?8 = (98?) '* = 67'4 = (67)’ = 17 = 1 (mod 561). 
Furthermore, we see that (<a :)= = 1 because 561 = 1 (mod 8). But 561 = 3 - 11 - 17 is not prime. 


. Suppose that n is an Euler pseudoprime to both the bases a and b. Then a@—/? = (2) and 


pe-D2 | (2) (mod n). It follows that (ab)™—)/? = (2) (4) = (2) (mod n). Hence, n is an 


n 
Euler pseudoprime to the base ab. 


. Suppose that n = 5 (mod 8) and n is an Euler pseudoprime to the base 2. Because n = 5 (mod 8), 


we have (2) = — 1, Because n is an Euler pseudoprime to the base 2, we have 2“—)/? = (2) =—] 


(mod n). Write n — 1= 27¢ where t is odd. Because 2“~))/? = 2 = —1 (mod n), n is a strong 
pseudoprime to the base 2. 


. n=5 (mod 40) 


9. 80 


Section 11.5 


. 1229 


. Because p, q =3 (mod 4), —1is not a quadratic residue modulo p or q. If the four square roots 


are found using the method in Example 9.19, then only one of each possibility for choosing + or 
— can yield a quadratic residue in each congruence, so there is only one system that results in a 
square. 


. If Paula chooses c = 13, then v = 713, which is a quadratic residue of 1411, and which has 


square root u = 837 (mod 1411). Her random number is 822, so she computes x = 822? = 1226 
(mod 1411) and y = vx = 713 - 961 = 858 (mod 1411). She sends x = 1226, y = 858 to Vince. 
Vince checks that xy = 1226 - 858 = 713 (mod 1411) and then sends the bit b = 1 to Paula, so 
she computes 7 = 822 = 1193 (mod 1411) and u7 = 837 - 1193 = 964 (mod 1411), which she 
sends to Vince. Because Vince sent b = 1, he computes 9642 = 858 (mod 1411) and notes that it 
is indeed equal to y. 


. The prover sends x = 1403? = 1,968,409 = 519 (mod 2491). The verifier sends {1, 5}. The prover 


sends y = 1425. The verifier computes y2z = 1425? - 197-494 = 519 = x (mod 2491) 
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a. 959, 1730, 2895, 441, 2900, 2684 b.1074  . 10742 - 959 - 1730 - 441 - 2684 = 336 = 4032 
(mod 3953) 


If Paula sends back a to Vince, then a? = w? (mod n), with a # w (mod n). Then a? — w? = 
(a — w)(a+ w) =0 (mod n). By computing (a — w, n) and (a + w, n), Vince will likely produce 
a nontrivial factor of n. 


Section 12.1 


13. 


15. 


17. 


19. 
21. 


.a..4 b..416 c..923076 d..53 e..009_ f..000999 


a. 3/25 b.11/90 ©. 4/33 


. b= 273557", with r, s, t, and wu nonnegative integers 


. a. pre-period 1, period 0b. pre-period 2, period 0c. pre-period 1, period 4 _— d.. pre-period 


2, period 0 e.pre-period 1, period1 __f. pre-period 2, period 4 


~ a3  b1l ¢.37 d.101 e.41and271  f.7 and 13 


. Using the construction from Theorem 12.2 and Example 12.1, we use induction to show that c, = 


k — land y, = (kb — k + 1)/(b — 1)”. Clearly, c, = c and y, = b/(b — 1)”. The induction step is as 
follows: cy41 = [by] = [(kb? — bk + b)/(b — 1)*] = [KO — 1)? + K+ 1) —&K)/O- 17] = 
[k + (b(K+ 1)—k)/(- 1)?] =k, and y%4,=((kK + )b—k)/b — 1), if k Ab —2. If 

k = b — 2, we have cy_2 = b — 1, so we have determined b — 1 consecutive digits of the expansion. 
From the binomial theorem, (x + 1)* = ax + 1(mod x”), so ord(,_1)2b = b — 1, which is the 
period length. Therefore, we have determined the entire expansion. 


The base b expansion is (.100100001 . . .),, which is non-repeating and therefore by Theorem 
12.4 represents an irrational number. 


Let y be a real number. Set cy = [y] and and y, = y — cp. Then 0 < y, < land y=cg+ yy. 
From the condition that c, < k for k = 1, 2, 3, ..., we must have c,; = 0. Let cz = [27] and 
V2 = 2y1 — C2. Then yy = (c2 + y2)/2, 80 y = Cg +.€,/1!+ €2/2!+ 2/2! Now let c3 = [3y2] 
and y3 = 3y2 — c3. Then y2 = (c3 + y3)/3 and so y =cg + €)/1!4 c2/2! + €3/3! + 3/3}. 
Continuing in this fashion, for each k = 2, 3, ..., define c, = [ky,_;] and y, = ky_1 — cx. 
Then y =cg + €)/1!+ 2/2! + ¢3/3!+---+0¢,/k!+ y%/k!. Because each y, < 1, we know that 
limy_» 90 %/k! = 0, so we conclude that y = cg + €)/1! + c2/2!+ €3/3!+---+c,/k!+---. 
In the proof of Theorem 12.2, the numbers py, are the remainders of b” upon division by p. 
The process recurs as soon as some y; repeats a value. Because 1/ p = (.cjc2 . . .Cp_1) has period 
length p — 1, we have by Theorem 12.4 that ord,b = p — 1, so there is an integer k such that 
b* = m (mod p). So the remainders of mb” upon division by p are the same as the remainders 
of b‘b" upon division by p. Hence, the nth digit of the expansion of m/p is determined by the 
remainder of b‘*” upon division by p. Therefore, it will be the same as the (k + n)th digit of 1/p. 
n must be prime with 2 a primitive root. 

Let yb/-! =a + €, where a is an integer and 0 < € < 1. Then [yb/] — b[yb/—'] = [a+ ©€)b] — 
b[a + €]=ab + [eb] — ab = [eb]. Because 0 < € < 0, this last expression is an integer between 
0 and b — 1. Therefore, 0 < [yb/] — b[yb/—!] < b — 1. Now consider the sum Lally] — 
b[yb/—'))/b/. Factor out 1/b” to clear fractions and this becomes (1/b”) ye —J[pb/]— 
bN-G-D[ybs-!)). This sum telescopes to (—b™[y] + [yb ])/b™ = [yb% /b™ because [y] = 0. 
But [yb ]/b™ = (yb% — yb% + [ybN)/b™ = y — (yb — [yb™))/bN. But 0 < yb — 
[yb% ] < 1, so taking limits as N > oo of both sides of this equation yields y = Dj lyb! |- 
b[yb/—))/b/. By the uniqueness of the base b expansion given in Theorem 12.1, we must have 
c; =[yb/] — blyb/—"] for each j. 


23. 


25. 
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fore) k fore) oo 
—1)% —1)% —1)% 

Leta => ang PE = ( > . Then |a Pr) _ ~ ( _ < > ae As in 

ja) «(108 % ja 10° M1 |jX¢41 10 ime 10" 
the proof of Corollary 12.5.1, it follows that ja — Pk! oo which shows that there can be 

qk : 

no real number C as in Theorem 12.5. Hence, a must be wanscendental. 
Suppose e =h/k. Then k\(e — 1— 1/1! — 1/2!—--- 1/k!) is an integer. But this is equal to 
KAA +D)!+ (A +2)!+--J)=VK+tD+VA+DA+2)4+-°°-< V/K+)+V/K+ 
17 4---=1/k <1. But k'(1/(k + I)!4 1/(k + 2)!4---) is positive, and therefore cannot be 


an integer, a contradiction. 


Section 12.2 


11. 


13. 


.a.15/7 b.10/7 6/31 d. 355/113 e.2 £.3/2 9.5/3 h.8/5 


a. [1; 2, 1, 1, 2) b. [1; 1, 7, 2] Cc. [2; 9] d. [3; 7, 1, 1, 1, 1, 2) e. [—1; 13; 1, 1, 2, iF 1, 2, 2] 
f. [0; 9, 1, 3, 6, 2, 4, 1, 2] 


. a. 1, 3/2, 4/3, 7/5, 18/13 b. 1, 2, 15/8, 32/17 e.2, 19/9 d. 3, 22/7, 25/8, 47/15, 72/23, 


119/38, 310/99. e. —1, —12/13, —13/14, —25/27, —63/68,—88/95, — 151/163, —390/421, 
~931/1005 £.0, 1/9, 1/10, 4/39, 25/244, 54/527, 241/2352, 295/2879, 831/8110 


. a.3/2 > 7/Sand 1< 4/3 < 18/13. b.2>32/17and1<15/8 c.vacuous 4.22/7>47/15> 


119/38 and 3 < 25/8 < 72/23 < 310/99 _e. —12/13 > —25/27 > —88/95 > —390/421 and 
—1 < —13/14 < —63/68 < —151/163 < —931/1005  £. 1/9 > 4/39 > 54/527 > 295/2879 and 
0 < 1/10 < 25/244 < 241/2352 < 831/8110 


. Leta =r/s. The Euclidean algorithm for 1/a = s/r < 1 gives s = O(r) +5; r = Ao(s) + a, and 


continues just like for r/s. 


Proceed by induction. The basis case is trivial. Assume q; > f; for j <k. Then q, = 
AnGk-1 + I-22 On Se-1 + Se-2 2 fa-1 + Sa-2 = fy, a8 desired. 

By Exercise 10, we have p,/DPy—1 = [4n3 An—p - ++ » Ag) = [493 4, --- , An] = Pp /Qn = 1/8 

if the continued fraction is symmetric. Then q, = p,_; =s and p, =r, so by Theorem 
12.10 we have pyqn—1 — QnPn—1 ="Qn—1 — 82 = (—1)""1. Then rq,_; = s” + (—1)""! and so 
r|s* — (—1)”. Conversely, if r|s* + (—1)"—}, then (—1)""! = p,Qn—1 — GnPn—1 ="Qn—1 — Pn—15- 
Sor|p,—15 + (—1)"~! and hence r|(s? + (—1)"—}) — (py_ys + (—1)""}) = s(s — py_1). Because 


S, Pn_1 <7 and (r, s) =1, we have s = py_y. Then [a3 @,_1, .-- 5 49] = Pn/Pr-1= 7/5 = 
[a3 41, SSeceng an]. 

15. Note that the notation [a9; a, . . . , @,] makes sense, even when the a,’s are not integers. 
Use induction. Assume the statement is true for k odd and prove it for k + 2. Define a, = 
[443 2441, 4442] and check that a, < [ag; 4,41, Q¢42 + x] = a, +x’. Then [a9; a), ..., Q¢42]= 
[a9; ay, ..., a] > [a3 4), ..., a, + x"] = [ag; ay, ..., Ag42 +]. Proceed similarly for k even. 

Section 12.3 

1. a. (152; 2,2).2-2:] Be (G1, 23: 1,,2)22.], -e 24,4...) Bit. 1...) 

3. 312689/99532 

5. If a; > 1, let A = [a9; a3, .. .]. Then [ag; a), .. .]+ [—@p — 15 1, ay — 1, ag, a3, .. .J= a9 + 


1 1 = sect . = 
aHU/Ay + a eet = 0. Similarly if a, = 1. 
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. Ifa = [a3 ay, a2, ...], then 1/a = 1/[ap; ay, an, ...J=O+ — = [0; a9, aj, az, ...]. Then 


the kth convergent of 1/a is [0; a, a), a2, ..., Q,_1] = 1/[ag; ay, az, ... , Ag_y], which is the 
reciprocal of the (k — 1)st convergent of a. 


. By Theorem 12.19, such a p/q is a convergent of a. Now (/5 + 1)/2=[1;1, 1,.. .],80 Gn = fn 


(Fibonacci) and Pn = Qn+1- Then limp +00 Qn—1/4n = limy -, 900 Qn—1/ Pn-1 = 2/(/5 + 1) = (S5 a 
1)/2. So lity so ((V5+ D/2 + @n1/an)) = WS + D/2 + (WS — /2= V5. So (WS + 


1)/2 + (Qn—1/Qn) > € Only finitely often. Whence, 1/ (‘v5 +1)/2+ n-1/4n)) q? < 1/(cq2) 
only finitely often. The following identity finishes the proof. Note that a, =a for all n. Then 
|x _ (Pn/Fn)| = |(@n+1P 2 ag Pn—1)/(Qn+19n ak Qn—-1) = (Pn/Qn)| = \(—@ndn—1 = Pn—19n))/ 
(Qn(@4n + 4n—1))| = 1/(G2(@ + (Qn—1/4n))- 

If 8 is equivalent tow, then 8 = (aa + b)/(ca + d). Solving fora givesa = (—dB + b)/(cB —a), 
so @ is equivalent to B. 

By symmetry and transitivity (Exercises 11 and 12), it suffices to show that every rational 
number a = m/n (which we can assume is in lowest terms) is equivalent to 1. By the Euclidean 


algorithm, we can find a and b such that ma + nb = 1. Letd =m-+b and c=a — n. Then 
(aa + b)/(ca +d) =1. 


Note that py, ;4%—1 — %k,1Pk—1 = * (PR-19k—-1 — %k—-1Pk—1) + (PR—29k—1 — Pk-19k—2) = £1. Thus, 
Px, and gq, , are relatively prime. 


See, for example, the classic work by O. Perron, Die Lehre von den Kettenbriichen, Leipzig, 
Teubner (1929). 


179/57 


Note first that if b < d, then |a/b — c/d| < 1/2d? implies that |ad — bc| < b/2d < 1/2, but 
because b #d, |ad — bc| is a positive integer, and so is greater than 1/2. Thus, b> d. 
Now assume that c/d is not a convergent of the continued fraction for a/b. Because the 
denominators of the convergents increase to b, there must be two successive convergents 
Pn/Qn and Py+i/Qn+41 such that q, <d <q,4;. Next, by the triangle inequality we have 


2 BB ns Pale: WE Bm) 3 AED 8 Pa 
b d d Qn b Qn d Qn Qn+1 Qn 
convergent is on the other side of a/b from the nth convergent. Because the numerator of the 
first difference on the right side is a nonzero integer, and applying Corollary 12.3 to the second 


difference, we have the last expression greater than or equal to 1/dq, — 1/qn+19q,- If we multiply 


daonsnnged? wegeen a= 1- si >1- 
2 Qn Qn+1 Qn+1 


a Cc 


1/2d? > 


, because the n + Ist 


because d/q, > 1. From which we 


deduce that 1/2 < d/qn4. 
The convergents p,/q, and P,+1/qn+1 divide the line into three regions. As c/d could be in 
€_ Pn 
Qn \d 
because the numerator of the fraction is a positive integer and the denominators on both sides 


of the inequality are the same. This last is less than or equal to Bae — Pals 
Qn+1 Qn 9n+19n 
the n + Ist convergent is farther from the nth convergent than c/d and where we have applied 
Corollary 12.3. But this implies that d > q,,1, a contradiction. Case 2: If c/d is closer to p,./qn; 
< Fi Pn < 2 ee because a/b is on the other side of the nth convergent 
dan d= an b od 
from c/d. But this last is less than 1/2d”, and if we multiply through by d, we have 1/q, < 1/2d, 


< 


any of these, there are three cases. Case 1: If c/d is between the convergents, then 


because 


then again 
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which implies that q, > d, a contradiction. Case 3: If c/d is closer to py, 41/441, then with the 


< |& _ Path 

9n+1 ~ |d Qn+1 
that d/q,41 < 1/2, contradicting the inequality established above. Having exhausted all the cases, 
we must conclude that c/d must be a convergent of the continued fraction for a/b. 


a Cc 


same reasoning as in Case 2, we have r < 1/2d”. But this implies 


Section 12.4 


1. a. (2;1, 1, 1,4] b.[3;3,6] .[4;1,3, 1,8] d.[6;1,5, 1,12] e.[7;1, 2, 7, 2, 1, 14] 
f. [9; 1, 2, 3, 1, 1, 5, 1, 8, 1, 5, 1, 1, 3, 2, 1, 18] 

3. a.(2;2] b.[1;2, 2,2, 1,12, 1]  .[0;1, 1, 2, 3, 10, 3) 

5. a. (23+ V29)/10  b.(—14+3V5)/2_ ¢. (8+ V82)/6 

7.a./10 bV17 «V26 = d.V37 

9. a. We have ay = Vd? — 1, ag =d — 1, Py = 0, Qo = 1, P, = (d — I) —0=d - 1, Q) = 
((d? — 1) — (d — 1)*)/1= 2d — 2, a, = d — 14 Vd? — 1)/(2(d — 12) = 1/24 
1/2/(d+1)/d—-1), a, =1, P, = 1(2d — 2) — (d —1) =d—-1, Q, = (d?-1-(d- 
1)*) /(2d — 2) = 1, ag = (d — 14 Vd? — 1)/1, ay = 2d — 2, P3 = 2(d — 1)(1) —(d- 1) = 
d—1=P,, Q3= ((d? — 1) —(d — 1)*)/1=2d —2=Q), soa =[d—1;1,2(d—D]. b. 
We have ag = Vd? — d, ay = [Vd? — d] = d — 1, because (d — 1)? < d? — d < d”. Then Py = 
0, Qo9=1, P}=d—-1, Q;=d-1,a,= ((d- 1) + Vd? -— d)/d-1)=14+ J/d/(d-1),a,= 
2, Py» =d—1, Q2 = 1, a2 = ((d — 1) + Vd? — d)/1, ap = 2(d — 1), P3 = Py, Q3= Q). 
Therefore,/d2 — d =[d —1;2,2(d—1D)]. _ . [9; 1, 18], [10; 2, 20], (16; 2, 32], [24; 2, 48] 

11. a. Note that d < /d*+4<d+1. Then aj = Vd*+4, aj =d, Py =0, Op = 1, P} = 
d, Q,=4, a, = (d+ Vd? + 4)/4, a; = [2d/4] = (d — 1)/2, because d is odd. Also, P, = 
d —2, Q, =d, a2 = (d —2+ Vd? + 4)/d, (d —2)+d)/d <a. <(d—2+d+1)/d, so 
a, = 1, P3=2, 03 =d, a3= (2+ Vd? 4+ 4)/d, a3=1, Py=d —2, O4=4,0,= (d—-24+ 
Vd? + 4)/4, (d —2+4)/4= (d —-1)/2 <ag < @-2+d+4+1)/4, s0 ay = (d —- 1)/2, Ps = 
d, O5=1,a5= (d+ Vd* + 4)/1, as = 2d, Pp =d = P,, Og = 4 = Q). Thus, a = 
[d; d — 1)/2, 1, 1, (@—1)/2, 2d]. _b. Note that d — 1 < /d? — 4 < d. Thenay = Vd? — 4, 
a =d —1, Pyp=0, Op = 1, Pj =d — 1, Q1 = 2d —5, a, = (d — 14 Vd? — 4)/(2d —5), d - 
1+ d — 1)/(2d —5) < a < (d — 1+ d)/(2d —5) and d >3 soa, = 1, P»p=d —4, Qn = 
4, a, = (d —4+4 Vd? — 4)/4, ay = (d — 3)/2, P3 =d —2, 03 =d —2,03=(—-24+ 
Vd? — 4)/(d — 2), a3 = 2, Py =d —2, Q4=4, a4 = d —2 + Vd? — 4)/4, ag =(d - 
3)/2, Ps =d —4, Q5 = 2d —5,a5= (d — 44 Vd? — 4)/(Qd — 5), as=1, Pp =d —1, Og= 
1, a5 = (d — 1+ Vd? — 4)/1, ag = 2d — 2, P; =d —1= P,, Q7 = 2d —5=Q). Thus, 

a =[d — 1; 1, d — 3)/2, 2, d — 3)/2, 1, 2d — 2). 

13. Suppose /d has period length 2. Then Vd =[a;c, 2a] from the discussion preceding 
Example 12.16. Then /d =[a; y] with y = [c; 2a] = [c; 2a, yl=c + 1/(2a + (1/y)) = 
(Qacy +c + y)/(2ay + 1). Then 2ay? — 2acy — c=0, and because y is positive, we have 
y = (2ac + ¥ (2ac)2 + 4(2a)c)/(4a) = (ac + (ac)? + 2ac)/(2a). Then Vd =[a; yJ=at 
(1/y) =a + 2a/(ac + J (ac)? + 2ac) = fa? + 2a/c, so d =a’ + 2a/c, and b =2a/c is 
an integral divisor of 2a. Conversely, let a = Va? + b and b|2a, say, kb = 2a. Then ag = 
[Va2 + b] =a, because a” < a? + b < (a + 1)”. Then Py = 0, Qo= 1, P} =a, Q}=b, a = 
(a+~va?-+ b)/b, a, = 4k, P2 =a, Q2 = 1, a2 = (a+ Va? 4+ b)/1, ay = 2a, P3 =a = Pi, Q3= 
b = Q,, so a = [a; 4k, 2a], which has period length 2. 


15. a.no b.yes c.yes d.no eyes f.no 
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Let a = (a + Vb)/c. Then —1/a’ = —(c)/(a — Vb) = (ca + Vbc?)/(b — a”) = (A + VB)/C, 
say. By Exercise 16, 0 < a < Vb and Jb —a <c < Vb +a < 2vb. Multiplying by c gives 
0 <ca < Vbc2 and Vbc2 — ca < c? < Vbe2 + ca < 2Vbc2. Thatis,0< A</Band/B—A < 
c2< /B+A <2VB. Multiply /b—a <c by Vb +a to get C=b— a? < Vbe? +-.ca= 
A+B. Multiply c < /b+a by Vb —a to get /B — A= Vbc2 — ac <b—a® =C. So, 
—1/a’ satisfies all the inequalities in Exercise 16, and therefore is reduced. 

Start with ap = VD + 3 + 1 (this will have the same period because it differs from VD; by an 
integer) and use induction. Apply the continued fraction algorithm to show a3; = VD 43-2. 
3k 427(2-3* 4), i= 1, 2,..., k, but oy43; = JD, + 3* — 2/(2-3'),i=1,2,...,k -1, 
and ay = VD; + 3+ 1=apg. Because a; # ap for i < 6k, we see that the period is 6k. 


Section 12.5 


1. 


Note that 192 — 2? = (19 — 2)(19 + 2) = 0 (mod 119). Then (19 — 2, 119) = (17, 119) = 17 and 
(19 + 2, 119) = (21, 119) = 7 are factors of 119. 


3. 3119 - 4261 
5. We have 17° = 289 = 3 (mod 143) and 19? = 361 = 3 - 5” (mod 143). Combining these, we have 


(17 - 19)? = 3252 (mod 143). Hence, 323? = 15% (mod 143). It follows that 323 — 15? = (323 — 
15)(323 + 15) =0 (mod 143). This produces the two factors (323 — 15, 143) = (308, 143) = 11 
and (323 + 15, 143) = (338, 143) = 13 of 143. 


. 3001 - 4001 


Section 13.1 


1. 


a. (3, 4, 5), (5, 12, 13), (15, 8, 17), (7, 24, 25), (21, 20, 29), (35, 12, 37) _ b. those in part (a) 
and (6, 8, 10), (9, 12, 15), (12, 16, 20), (15, 20, 25), (18, 24, 30), (21, 28, 35), (24, 32, 40), 
(10, 24, 26), (15, 36, 39), (30, 16, 34) 


. By Lemma 13.1, 5 divides at most one of x, y, and z. If 5 / x or y, then x2 = +1 (mod 5) and 


y? = +1 (mod 5). Then z? = 0, 2, or —2 (mod 5). But +2 is not a quadratic residue modulo 5, so 
z” =0 (mod 5), whence 5 | z. 


. Let k be an integer > 3. If k = 2n + 1, let m =n + 1. Then m and n have opposite parity, m >n 


and m? — n? =2n + 1=k, so m and n define the desired wiple. If k has an odd divisor d > 1, 
then use the construction above for d and multiply the result by k/d. If k has no odd divisors, then 
k = 2/ for some integer j > 1. Let m = 2/~! and n = 1. Then k = 2mn, m > n, and m and n have 
opposite parity, so m and n define the desired triple. 


. Substituting y = x + 1 into the Pythagorean equation gives us 2x” + 2x + 1= 2, which is 


equivalent to m? — 2z = —1 where m = 2x + 1. Dividing by z? yields m?/z* — 2 = —1/z?. Note 
that m/z > 1, 1/z2=2- m/z? = (/2 + m/z)(V2 — m/z) < IIPS m/z). So by Theorem 
12.18, m/z must be a convergent of the continued fraction expansion of 2. Further, by the proof 
of Theorem 12.13, it must be one of the even-subscripted convergents. Therefore, each solution 
is given by the recurrence m, 4) = 3m, + 2Zy; Zn41 = 2M, + 3my. (See, e.g., Theorem 13.11.) 
Substituting x back in yields the recurrences of Exercise 6. 


. See Exercise 15 with p = 3. 

» (9, 12, 15), (35, 12, 37), (5, 12, 13), (12, 16, 20) 
13. 
15. 


x= 2m, y=m*—1,z=m2+1,m>1 


primitive solutions given by x = (m? — pn?)/2, y = mn, z = (m2 + pn?)/2 where m > /pn 


17. 


19. 


21. 


23. 


25. 


27. 
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Substituting fr = Ing2 — taal and je = fn42 aa Inti into fn fuss)” a (2Fatifn42)” 
yields (fn42— fn4i)?(fn42 + fag? + Afra itnt2 = Int — te ” +4f, prifnsa = fio- 
2Piufpot iat thle = ete hahet ia (favo + £74), proving the 
result. 

the point (1, 0) and all points (r, s) with r = (t? — 1)/(t? + 1) and s = —2t/(t? + 1), with t 
rational 

the point (1, —1) and all points (r, s) with r = (t? — t — 1)/(t? + 1) and s = (1 — 2t)/(t? + 1) 
with ¢ rational 

the point (—1, 1) and all points (r, s) with r = (1— t7)/(1 +t +7) and s = (t? + 2t)/(t? +t +1) 
with ¢ rational 

Suppose x and y are rational numbers such that x” + y? = 3. Then there exists integers p, q, and 
r such that x = p/r and y = q/r, where we assume without loss of generality that x and y have 
equal denominators. Then we have p? + q” = 3r?. Further, without loss of generality, we may 
assume p, q and r are not all even, because we could divide the equation by 4 and have another 
solution. First suppose r is odd. Then r* = 1(mod 4) so p” + q” = 3 (mod 4). Because a square 
modulo 4 must be congruent to either 0 or 1, there are no solutions to this last congruence. Now 
suppose r is even. Then r? = 0 (mod 4), so that p? + gq? =0 (mod 4). The only solutions to this 
congruence requires that p and q are both even, which contradicts our assumption that p, q and 
r are not all even. Therefore, there are no rational points on the circle net y? = 3. 

the point (0, 0, 1) and all points (r, s, t) where r = —2u/(u? + v? — 1), s = —2v/(u? + v* — 1) 
and t = (u2 + v* + 1)/(u2 + v* — 1) with uw and v rational 


Section 13.2 


1. 


3. 


Assume without loss of generality that x < y. Then x” + y” = x2x"-2 4 y2y"-? < (x2 + 
y?)y"2 = z2yr 2 < zz" —2 =z", 

a. If p | x, y, or z, then certainly p | xyz. If not, then by Fermat’s Little Theorem, x?~! = y?-! = 
z?—-1 = 1 (mod p). Hence, 1+ 1=1(mod p), whichisimpossible. b. We know a? =a (mod p) 
for every integer a. Then x? + y? =z? (mod p) implies x + y =z (mod p),so p|x+ y —z. 


. Let x and y be the lengths of the legs and let z be the hypotenuse. Then x” + y? = 2”. If the 


2 _ n?, and y = 2mn, we have 


2 n=b?, and m2 — n? =c?, 


area is a perfect square, we have A = 3x y= r2. Then, if x =m 
r? = mn(m? — n’). Allof these factors are relatively prime, som =a 


say. Then, a‘ — b* =c?, which contradicts Exercise 4. 


. We use the method of infinite descent. Assume there is a nonzero solution where |x| is minimal. 


Then (x, y) = 1. Also x and z cannot both be even, because then y would be odd and then 

= 8 (mod 18), but 8 is not a quadratic residue modulo 16. Therefore, x and z are both 
odd, because 8y* is even. From here it is easy to check that (x, z) = 1. We may also assume 
(by negating if necessary) that x = 1 (mod 4) and z = 3 (mod 4). Clearly, x? > |z|. We have 
8y* = x4 — z? = (x? — z)(x2 +z). Because z = 3 (mod 4), we have x? — z = 2 (mod 4), so 

= (x? — z)/2 is odd, and n = (x? + z)/4 is aninteger. Because no odd prime can divide both m 
and n, we have (m,n) = 1,m,n > Oandmn= y4, whence m = r* and n = s*, with (r, 5) = 1. So 
nowr‘ + 2s4 =m + 2n = x”. This implies (x, 7) = 1, because no odd prime divides r and x but not 
s, and r and x are both odd. Also, |x| > r2 > 0. Nowconsider 2s* = (x? — r+) = (x —r?)(x +r”). 
Then s must be even because a difference of squares is not congruent to 2 (mod 4), so s = 2t and 
32t4 = (x —r?)(x +r?). Recalling x = 1 (mod 4) and r is odd, we have U = (x + r”)/2 is odd 
and V = (x — r*)/16is an integer. Again (U, V) = land UV = t*, but we don’t know the sign of 
x. SoU = +u‘ and V = +v+, depending on the sign of x. Now r? = +(u4 — 8v‘). But because u 
is odd, we can rule out the case with the minus sign (or else r” = 7 (mod 8)). Therefore, we must 
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have the plus sign (hence, x is positive), and we have u* — 8v4 = r?. Finally, |v| > 0 because 
|x + r2| > 0. So we haven’t reduced to a trivial case. Then u4 = U < |x + r?|/2 < x, so |u| <x, 
and so |x| was not minimal. This contradiction shows that there are no nontrivial solutions. 


. Suppose that x = a/b, where a and b are relatively prime and b 4 0. Then y? = (a* + b*)/b*, 


from which we deduce that y = z/b? from some integer z. Then z* = a* + b*, which has no 
nonzero solutions by Theorem 13.3. Because b # 0, it follows that z 4 0. Therefore, a = 0, and 
hence x = 0, and consequently y = +1. These are the only solutions. 


If x were even, the y? = x3 +4 23 = 3 (mod 4), which is impossible, so x must be odd, making 
y even, say, y = 2v. If x = 3 (mod 4), then y? = 33 + 23 = 2 (mod 4), which is also impossible, 
so x = 1(mod 4). Add 4 to both sides of the equation to get y? +4 =402?+4=x3+27= 
(x + 3)(x? — 3x + 9). Then z = x? — 3x + 9=1—3+49=3 (mod 4), soa prime p = 3 (mod 4) 
must divide z. Then 4v2 + 4 = 0 (mod p) or v? = —1 (mod p). But this shows that a prime 
congruent to 3 modulo 4 has —1 as a quadratic residue, which contradicts Theorem 11.5. Therefore, 
the equation has no solutions. 


This follows from Exercise 4 and Theorem 13.2. 


Assume that n } xyz, and (x, y, z)= 1. Now (-x)"=y"+ 27 =(y+ z)(y?1 — yr-2z 4 
oo zl), and these factors are relatively prime, so they are nth powers, say, y + z =a", 
and y"—1— yn-2z 4... 4 2"-1=q", whence x = aa. Similarly, z + x = b", and (z”~! — 
gn-2y 4... +x") = B", -y = bB, x+y =c", and (x""!— x" -2y 4... t yt) ay", 
and —z =cy. Because x” + y” + z" =0 (mod p), we have p| xyz, say, p |x. Then y” = 
(xt—-1l— xn-2y 4... 4 y"—1) = y"-1 (mod p). Also, 2x = b" + c” + (—a)" = 0 (mod p), so 
by the condition on p, we have p | abc. If p | b, then y = —bB = 0 (mod p), but then p | x and 
y, a contradiction. Similarly, p cannot divide c. Therefore, p | a, so y = —z (mod p), and so 
a” = (y"—1_ yn-27 4... 4 2"-1) =ny"-!=ny” (mod p). Let g be the inverse of y (mod p); 
then (ag)”" =n (mod p), which contradicts the condition that there is no solution to w” =n 
(mod p). 

3, 4, 5, 6 


If m > 3, then modulo 8 we have 3" = —1 (mod 8), which is impossible, so m = 1 or 2. If m = 1, 
then 3” = 2 — 1= 1, which implies that n = 0, which is not a positive integer, so we have no 
solutions in this case. If m = 2, then 3” = 22 — 1= 3, which implies that n = 1, and this is the 
only solution. 

a. Substituting the expressions into the left-hand side of the equation yields a? + b? + (3ab — c)* = 
a* + b? + 9a2b? — 6abc + c? = (a* + b? +c?) + 9a2b? — 6abc. Because (a, b, c) is a solution 
to Markoff’s equation, we substitute a? + b* + c? = 3abc to get the last expression equal to 
3abc + 9a*b? — 6abc = 9a2b? — 3abc = 3ab(3ab — c), which is the right-hand side of Markoff’s 
equation evaluated at these expressions. __ b. Case 1: If x = y = z, then Markoff’s equation 
becomes 3x? = 3xyz, so that 1= yz. Then y = z = 1 and then x = 1, so the only solution in this 
case is (1, 1, 1). 

Case 2: If x = y #z, then 2x? + z2 = 3x2z, which implies that x2\z2 or x|z, say dx = Z. 
Then 2x? + d?x? = 3dx3 or 2 + d* = 3dx or 2 = d(3x — d). So d|2, but because x 4 z, we must 
have d = 2. Then 3x — d = 1, so that x = 1= y and z = 2, so the only solution in this case is 
(1, 1, 2). 

Case 3: Assume x < y <z. From z* — 3xyz+ x? + y?+ 27, we apply the quadratic 
formula to get 2z = 3xy + /9x?y2 — 4(x2 + y?). Note that 8x2y? — 4x2 — 4y? = 4x?(y? — 

1) + 4y?(x? — 1) > 0, so in the “minus” case of the quadratic formula, we have 2z < 

3xy — /9x2y2 — 8x2y2 = 3xy — xy = 2xy, or z < xy. But 3xyz = x? + y* + 2? < 32”, so 
that xy < z, acontradiction; therefore, we must have the “plus” case in the quadratic formula and 
2z = 3xy + /9x2y? — 4(x2 + y2) > 3xy, so that z > 3xy — z. This last expression is the formula 
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for the generation of z in part (a). Therefore, by successive use of the formula in part (a), we will 
reduce the value of x + y + z until it is one of the solutions in case 1 or case 2. 


Let € > 0 be given then the abc conjecture gives us max(|a|, |b|, |c|) < K(€)rad(abc)!*€ for 
integers (a, b) = landa+b=c. Set M =log K(e€)/ log2 + (3 + 3e). Suppose x, y, z, a, b,c 
are positive integers with (x, y) = land x? + y? = c?, so that we havea solution to Beal’s equation. 
Assume min(a, b, c) > M. From the abc conjecture, and because rad(x*y?y°) = rad(xyz), 
we have max(x?, y?, y°) < K(e)rad(xyz)!+€ < (xyz)!*€. If max(x, y, z) =x, then we would 
have x? < K(e)x*'+©), Taking log’s of both sides yields a < log K (e)/ log x + (3 + 3€) < 
log K (€)/ log 2 + (3 + 3€) = M, acontradiction. Similarly if the maximum is y or z. Therefore, 
if the abc conjecture is tue, there are no solutions to the Beal conjecture for sufficiently large 
exponents. 


Section 13.3 


11. 


13. 


15. 


17, 


19. 


.a197 +42 b, 2324112 «3727492 13724 92 
a.57+32 b.92432 © 1074+02 .212+7% ©. 133%7+632 £. 4482 + 3522 


-aP+P4? b8t#4+574+2 6 324122412 d.32?+32+02 e.notpossible ff. not 
possible 


. Letn =x? + y? +22 =4"(8k + 7). If m =0, then see Exercise 6. If m > 1, then n is even, so 
none or two of x, y, z are odd. If two are odd, x? + y? + z* =2 or 6 (mod 8), but then 4 Jn, a 
contradiction, so all of x, y, z are even. Then 4”—!(8k +7) = (3)? + (3)? + (3)? is the sum of 
three squares. Repeat until m = 0 and use Exercise 6 to get a contradiction. 

. al0?+174+07+2? b2274474 12432 «1427442412452 0.5624 1274174 2 

Let m =n — 169. Then m is the sum of four squares: m = x24 y? +274 w?2. If, Say, X, y, Z are 

0, then n = w? + 169 = w2 + 10? + 8? + 2? + 12. If, say, x, y are 0, thenn =z? + w* + 169= 

22+ w+ 1224 42 + 32. If, say, x is 0, thenn = y? +27 + w?4 169 = y?2 +274 w? 4 127452. 

If none are 0, then n = x? + y? + 227+ w2 + 132. 

If k is odd, then 2* is not the sum of four positive squares. Suppose k > 3, and Qk = 

x24 y? + z*+ w*. Then either none, two, or four of the squares are odd. Modulo 8, we have 

0 =x? + y* + 22+ w?, and because an odd square is congruent to 1 modulo 8, the only possibility 

istohavex, y, z, walleven. But then wecan divide by 4 to get 2‘? = (3)? + (3)? + (3)? + (#)?. 

Either k — 2 > 3 and we can repeat the argument, or k — 2 = 1, in which case we have two equal 

to the sum of four positive squares, a contradiction. 


If p = 2 the theorem is obvious. Else, p = 4k + 1, whence —1 is a quadratic residue modulo 
p, say, a? = —1(mod p). Let x and y be as in Thue’s lemma. Then x” < p and y” < p and 
—x? = (ax)? = y* (mod p). Thus, p | x2 + y? < 2p; therefore, p = x* + y? as desired. 

The left sum runs over every pair of integers i < j, for 1 <i < j <4, so there are six terms. Each 
integer subscript 1, 2, 3, and 4 appears in exactly three pairs, so 


»- [(x; + x;)4 + (x; — x;)‘] = os (x; + 12x} x4 + 2x‘) 


1<i<j<4 1<i<j<4 
4 4 2 
= 4 22). 2 
=) 6x; + > inte} <6 (x2) : 
k=1 1<i<j<4 k=1 


If m is positive, then m = 4 x2, for some x,’s. Then 6m = 6 bea ie 4 6x2. Each term 
of the last sum is the sum of 12 fourth powers by Exercise 18. Therefore, 6m is the sum of 48 
fourth powers. 
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Forn=1,2,..., 50,0 =>." It. Forn =51, 52,..., 81,n— 48 =n — 3(24) = 7 * 14, 50 
n=%442%44244 pas 1‘ is the sum of (n — 45) fourth powers, and n = 45 < 36 < SO. This 
result, coupled with the result from Exercise 20, shows that all positive integers can be written as 
the sum of 50 or fewer fourth powers. That is, (4) < 50. 

The only quartic residues modulo 16 are 0 and 1. Therefore, the sum of fewer than 15 fourth 
powers must have a least nonnegative residue between 0 and 14 (mod 16), which excludes any 
integer congruent to 15 (mod 16). 


Section 13.4 


a. (£2, 0), (+1,+1) b.none c. (+1, +2) 


a.yes b.no c.yes d.yes eyes f.no 


» (73, 12), (10657, 1752), (1555849, 255780) 
» (6239765965720528801, 798920165762330040) 


- Reduce modulo p to get x* = —1(mod p). Because —1is a quadratic nonresidue modulo p if 


p = 4k + 3, there is no solution. 


. Let py = 0, py = 3, pe = 2Py_1 + 2_2, Go = 1, G1 = 1, and gy, = 2qy_1 + 9y_2- Then the legs are 


x= p?+2p,.q +kand y = 2744; + 242. 


. Suppose there is a solution (x, y). Then x must be odd. Note that (x? + 1)2 =x442x74+1= 


2y? + 2x? and (x? — 1)? = x* — 2x2 + 1= 2y? — 2x”. Multiplying these two equations together 
yields (x* — 1)? = 4(y* — x‘), or because x* = 1(mod 4), ((x* — 1)/2)? = y* — x‘. This 
contradicts Exercise 4 in Section 13.2. 


Section 13.5 


1. 


11. 


Let (x, y, z) be a primitive Pythagorean triple. Then there exist relatively prime integers m and n 
of opposite parity such that x = m? — n?, y = 2mn and z = m? + n?. Then the area of the triangle 
is xy /2 = (m? — n*)2nm/2 = mn(m2 — n?) which is even because one of m and n must be even. 


. 14, 330, 390, 210 
»-a15 b21 210 d.5 


. Letn be any positive integer and consider the Pythagorean wiangle with sides 3n, 4n, and 5n. The 


area of this triangle is (3n)(4n)/2 = 6n2. Therefore, 6n? is acongruent number for every positive 
integer n. 


. Consider the right wiangle with legs of length ./2. The length of the hypotenuse is JF + Je = 


2, so if we assume that V2 is rational, this is a rational triangle. We compute its area to be 
(1/2)/2/2 = 1. This implies that 1 is a congruent number, which is false. Therefore, /2 must 
be irrational. 


Let n be a congruent number and suppose n = 2k? where k is an integer. Assume n is a 
congruent number. Then Theorem 13.16 tells us that n must be the common difference of a 
progression of three squares. Specifically, there are integers r, s, and t such that t? — s?=n 
and s* —r* =n. Then t? = s* +n and r* = s* —n. Multiplying these last two equations 
yields (rt)? = st — n? = s4 — 4k*. Let z=rt, x =s, and y =k. Then the equation becomes 
x4 — 4y4 = z?. Suppose that the equation has solutions in the positive integers. By the well- 
ordering property, there is a solution (x, y, z) having the smallest value for x. Rewriting the 
equation as z* + (2y)? = (x”)” shows that (z, 2y”, x”) is a Pythagorean triple. Check that this 
tiple must be primitive. Then there exist relatively prime integers u and v of opposite parity such 
that z = u? — v2, 2y? = 2uv, and x2 = u2 + v2. Then y? = uv and (u, v) = 1, so u =a? and 
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v = b* for some integers a and b. Then x” = a* + b+, which has no nonzero solutions according 
to Theorem 13.3. Therefore, n can not be congruent. 


a. Because 1 is not a congruent number, Theorem 13.16 says that it cannot be the common 
difference of an arithmetic progression of three squares. b. Because 8 = 272 and 2 is not a 
congruent number, we know that 8 is not a congruent number. By Theorem 13.16, 8 cannot be 
the common difference of an arithmetic progression of three squares. c. By Theorem 13.15, 
25 = 5? cannot be the area of a rational right triangle and therefore cannot be a congruent number. 
Then by Theorem 13.16, 25 cannot be the common difference of an arithmetic progression of 
three squares. d. If 48 = 473 were the common difference of an arithmetic progression of three 
squares, then it would be a congruent number by Theorem 13.16. By definition, it would be the 
area of a rational right triangle. But then we could divide the lengths of the sides of the triangle by 
4 and we would have a rational right triangle of area 3, which implies that 3 would be a congruent 
number, contrary to Exercise 12. 

r = 337/120 

(12, 7/2, 25/2) 

a. Let r be the common difference of the arithmetic progression. Then a” = b? — r andc* = b? +r. 
Then (a/b)? + (c/b)* = (a? + c?)/b* = ((b* — r) + (b? + r))/b? = 2b*/b* = 2. Therefore, 
(a/b, c/b) is a rational point on x7 + y2=2. _b. Because x7 + y? =2=1+ 1, we have 
y* —1=1-—x?. Multiply through by 2? to get (ty)? — 2? = t? — (tx)*, which shows that 
(tx), t?, (ty) is an arithmetic progression. 

(x, y) = (112/9, 980/27) 

If there is a rational point on the elliptic curve y” = x3 — 2x, then by Theorem 13.18, 2 would 
be a congruent number, a contradiction. 


(11894/1443, 26760/3367, 115658/10101) 


P3 = (16689/2704, —1074861/140608) and the triangle is (76130/10101, 32112/3367, 
112768/10101) 


(1151/140)?, (1201/140)”, (1249/140)? and (4319999/2639802)7, (7776485/2639802)7, 
(10113607/2639802)2 


a. The solutions to 1 = 2x? + y? + 327? are x =z=0, y = +1, so A; =2. The solutions to 
1= 2x24 y? + 8z7 arex =z=0, y =+1, so B, = 2. Because A, 4 B,/2, we conclude that 1 is 
not a congruent number by Tunnell’s theorem. _b. The solutions to 10 = 8x? + 2y? + 642? 
are (+1, +1, 0), so Cy) = 4. The solutions to 10 = 8x? + 2y? + 16z” are (+1, +1, 0), so 
Do = 4. Because Cyg 4 Djo/2, we conclude that 10 is not a congruent number by Tunnell’s 
theorem. c. The solutions to 17 = 2x? + y? + 32z” are (+2, +3, 0), so A,7 = 4. The solutions 
to 17 = 2x? + y? + 82? are (+2, +3, 0), (£2, +1, £1), and (0, +3, +1), so B,7 = 16. Because 
Aj7 4 B,7/2, we conclude that 17 is not a congruent number by Tunnell’s theorem. 

The solutions to 41 = 2x? + y? + 32z” are (£4, +3, 0), (£2, +1, +1), and (0, +3, +1), so 
A, = 16. The solutions to 41 = 2x? + y? + 8” are (+4, +3, 0), (£4, +1, £1), (+2, +5, +1), 
(42, +1, +2), and (0, +3, +2) so By, = 32. Because Ay; = B4,/2 we conclude that 41 is a 
congruent number by Tunnell’s theorem. 


For the case n = 5 or 7 (mod 8), we note that n is odd and reduce the left sides of the first two 

equations in Tunnell’s theorem modulo 8. Both expressions become 2x? + y” (mod 8). Because a 
square must be congruent to 0, 1, or 4 (mod 8), the right side of the congruence must be congruent 
to 0, 1, 2, 3, 4, or 6, and none of these are 5 or 7 (mod 8). Therefore A, = 0 = B,/2. By Tunnell’s 
theorem, n must be a congruent number. For the case n = 6 (mod 8), we note that n is even and 
reduce the last two equations in Tunnell’s theorem modulo 8. Both equations reduce to 6 = n = 2y” 
(mod 8). Because n is even, we may divide by 2 to get 3 =n/2= y? (mod 4). Because 3 is not a 
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quadratic residue modulo 4, there are no solutions to either equation. Therefore, C,, = 0 = D,,/2. 
By Tunnell’s theorem, n must be a congruent number. 


First suppose n > 2. Let r = 2n/(n — 2) and s = (n — 2)/4. Check that (2, r — 1/r,r+1/r) 
and (2, s — 1/s, s + 1/s) satisfy the Pythagorean theorem, so these triples represent right 
triangles. Because n is an integer, we see that the sides of both triangles are have rational 
lengths. If we glue these triangles together along the side of length 2, then we have a triangle 
with sides (r + 1/2, 5+ 1/s,r —1/r +s — 1/s). Note that the common side of length 2 is now 
an altitude of the new triangle. Therefore, the area of the triangle is (1/2)2(r — 1/r +s — 1/s) = 
2n/(n — 2) — (n — 2)/2n + (n — 2)/4 — 4/(n — 2) = (2n — 4)/(n — 2) + (n? — 4n +. 4)/4n = 
24+ (n2 — 4n + 4)/4n = (n?2 + 4n + 4)/4n = (n 4+ 2)7/4n, which is rational, making this a Heron 
triangle. If we multiply all the sides by the rational number 2n/(n + 2), then the area will by 
multiplied by its square, yielding ((n + 2)?/4n)(4n2/(n + 2)*) = n for the final area. If n = 1 or 
2, then we perform the above construction to get a Heron triangle of area 4 or 8, respectively, and 
then divide all sides by 2, which will divide the area by 4, yielding a Heron triangle of area 1 or 
2, respectively. 


a. Suppose n is a t-congruent number. Then there exist rational numbers a, b, and c satisfying 
2n = ab(2t)/(t? + 1) and c? = a? + b? — 2ab(t? — 1)/(t? + 1). Note that the first equation 
implies n/t = ab/(t? + 1). We seek to show that the point (c?/4, (ca? — cb)/8) is a point 
on the curve. First note that x — n/t = c?/4 — n/t = (a* + b? — 2ab(t? — 1)/(t? + 1))/4 — 
ab/(t? + 1) = (a2 + b* — 2ab)/4 = (a — b)?/4. Then note that x + nt =c?/4+nt = (a2 + 
b* — 2ab(t? — 1)/(t2 + 1))/4 + 2abt?/(t? + 1) = (a? + b? + 2ab)/4 = (a + b)*/4. Then 

x(x —n/t)(x + nt) = (c2/4)((a — b)?/4)((a + b)*)/4= ((ca* — cb) /8)? = y’, so this is a 
rational point on the curve. Note that y 4 0 unless a = b. If a = b, then the defining equations 
become 2a? — 2a?(t? — 1) /(t?+)= c’, and n /t= a?/ (t? + 1). Solve the first equation to get 
1? + 1=(2a/c)* and use this in the second equation to get n/t = (c/a)*, so both t? + 1 and 
n/t are rational squares. Conversely, suppose (x, y) is a rational point on the curve with y 4 0. 
Substitute the values a = n|x(1 + t”)/(yt)|, b = |(x — n/t)(x + nt)/y|, and c = \(x? + n?)/y| 
into the defining equations to see that n is a t-congruent number. If n/t and t? + 1 are nonzero 
rational squares, then substitute c = 2,/n/t and a = c = ./n(t? + 1)/t into the defining equations 
to see that n is a t-congruent number. _ b. For the given values, x(x — n/t)(x + nt) = 
—6(—6 — 12/(4/3))(—6 + 12(4/3)) = —6(—6 — 9)(—6 + 16) = 6(15)(10) = 900 = 30? = y”. 
c. Part (b) shows that, for n = 12 and t = 4/3, the curve y? = x(x — n/t)(x +nt) has a rational 
point, (—6, 30) with y 4 0. Therefore, 12 is a 4/3-congruent number. Then using the formulas from 
part (a), we have a = |((—6)” + 12”)/30| = 6, b = |(—6 — 12/(4/3))(—6 + 12(4/3))/30| =5, 
and c = 12| — 6((4/3 + 1/(4/3))/30| = 5. Check that the triangle with sides 6, 5, and 5 has 
area equal to 12. d. Given a positive integer n, Exercise 37 tells us there exists a Heron 
triangle (x, y, z) of area n. Then from Exercise 38, if the angle between x and y is 0, then 
sin 9 = 2t/(t? + 1) and cos@ = (t? — 1) / (t2 + 1) for some rational t. The law of cosines 
tells us that z2 = x? + y? — 2xy cos@ = x2 + y” — 2xy(t? — 1)/(t” + 1). Because the area is 
n= xy sin(6)/2 = xy(2t/(t? + 1), we see that n is a t-congruent number. 


Section 14.1 


1. 
3. 
5. 


a5+15i b.46-—9i c¢. —26—- 18i 
a.yes b.yes c.no d.yes 


(4a — 3b) + (4b + 3a)i where a and b are rational integers (see the Student Solutions Manual for 
the display of such integers). 


. Because a|6 and fly, there exist Gaussian integers « and v such that wa = 6 and vB = yy. 


Because the product of Gaussian integers is a Gaussian integer, vj is also a Gaussian integer. It 
follows that aly. 
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. Note that x5 = x if and only if x — x = x(x — 1)(x + I(x —i)(x +i) = 0. The solutions of 


this equation are 0, 1, —1, i, and —i. These are the four Gaussian integers that are units, together 
with 0. 


Because a|6 and B|q, there exist Gaussian integers and v such that a = B and Bv = a. Then 
a = av. Taking norms of both sides yields N(a) = N(apv) = N(a)N(uv) by Theorem 14.1. 
So that N(w)N(v) = 1. Because p and v are Gaussian integers, their norms must be nonnegative 
rational integers. Therefore, N(j2) = N(v) = 1, and so yw and v are units, and hence, a and B are 
associates. 


The paira = 1+ 2i, 8 = 2+ i is acounterexample. 


We show that such an associate exists. If a > 0 and b > 0, then the desired inequalities are met. 
If a < 0 and b > O, then we multiply by —i to get —ia = b — ai = c + di which has c > 0 and 
d > 0. If a < 0 and b < 0, then we multiply by —1 to get -w = —a — bi = c + di, which has 
c > Oandd > 0. If a > 0 and b < 0 then we multiply by i to get ia = —b + ai =c + di, which 
has c > 0 and d > 0. (We have covered the quadrants in the plane in counterclockwise order.) 
Having found the associate c + di in the first quadrant, we observe that it is unique, because if we 
multiply by any unit other than one, we get, respectively, —c — di, which has —c < 0, —d + ci, 
which has —d < 0, or d — ci, which has —c < 0. 

a.y =3—5i,p =—3i,N(p) =32?+0?=9<N(~)=34+3=18 by=5-—i,p=-1-2i, 
N(p)=5<N(s)=25 cc y=—14+ 8i, p=—5 —3i, N(p) = 5 +32 =34< N(B)= 
127125 


ay=2-Si,p=3 by=4-i,p=24+2i eay=-1l+7i.,p=-34+ 8 
1, 2, and 4 


If a and D are both even, then the Gaussian integer is divisible by 2. Because (1+ i)(1 — i) = 2, 
then 1 + i is a divisor of 2, which is in tum a divisor of a + bi. If a and b are both odd, we may 
write a + bi = (1+ i) + (a — 1)+ (6 — 1)i, and a — 1 and b — 1 are both even. Because both 
of theses Gaussian integers are multiples of 1 + i, so is their sum. If a is odd and b is even, then 
a—1+ bi is a multiple of 1+ i and hence (a + bi) — (a— 1+ bi) = 1is a multiple of 1+ i if 
a + bi is, acontradiction. A similar argument shows that if a is even and b is odd, then 1 + i does 
not divide a + bi. 


+1+ 2i 


Suppose 7 = (a + bi)(c + di) where a + bi and c + di are nonunit Gaussian integers. Taking 
norms of both sides yields 49 = (a? + b*)(c” + d”). Because a + bi and c + di are not units, we 
have that the factors on the right are not equal to 1, so we must have a” + b* = 7, acontradiction, 
because 7 is not the sum of two squares. 


Because @ in neither a unit nor a prime, it has factors a = By with B and y nonunits, so 
that 1 < N(B) and 1 < N(y). Then N(a) = N(B)N(y). If N(B) > /N(q@), then N(y) = 
N(a)/N(B) < N(a)//N (a) = /N(a). Consequently, either 8 or y divides a and has norm not 
exceeding ./N (a). 

The Gaussian primes with norm less than 100 are 3,7,1+ i,2+i,4+i1,6+i,3+4 2i, 5+ 2i, 
7+ 2i,84 31,54 4i,9+ 4i, 6+ Si, and 8 + Si, together with their conjugates and associates. 


a. Note thata —a =0=0- pw, sola — a. Thus,a =a (mod). b. Because a = 8 (mod p), 
we have p|a — B, so there exists a Gaussian integer y such that wy =a — f. But then 
u(-y) = B —@, so p|B — a. Therefore, 8 =a (mod). c. Because a = B (mod 2) and 

B =y (mod 2), there exist Gaussian integers 5 and € such that ud = a — B and we = B — y. 
Thena —-y=a—6+B-—y=ypd+ pe = p(6 + €). Therefore a = y (mod yp). 


Leta =a,+ ib, B =a, + ibs, and p = (a; + b;)(a> + b2). Then the real part of wf is given by 
the two multiplications R = a,a, — b,b», and the imaginary part is given by p — R, which requires 
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only one more multiplication. The second way in the hint goes as follows. Let m, = bo(a, + bj), 
M7 = a7(a; — bj), and m3 = b;(az — bz). These are the three multiplications. Then the real part 
of aB is given by mz + m3, and the imaginary part by m; + m3. 


a.i,1+i,1+2i,2+3i,3+5i,5+8i b. Using the definition of G, and the properties 
of the Fibonacci sequence, we have Gy = fx + ifksi= (fe-1t Se-2) + Se + fe_vi = 
(fa-1 + St) + Se-2 + fe-1t) = Gy_-1 + Ge_2- 

We proceed by induction. For the basis step, note that G2G,; — G3Gg = (14+ 21)(1+ i) —- 

(2 + 3i)@) =2-+ i, so the basis step holds. Now assume the identity holds for values less 
than n. We compute, using the identity in Exercise 37, G,42Gy41 — Gn43Gn = (Gnyi t+ 
Gr)Gn41— (Gny2 + GuyGn = G2, — Gny2Gn = G24) — (Gay + Gn)Gn = G2, — G2 - 
GnsiGn = (Grrit Ga)(Gati— Gn) — Gn4iGn = Gny2Gn—1 — GayiGn = —(-I)" "(2 + 
i) = (—1)"(2 + i), which completes the induction step. 


Because the coefficients of the polynomial are real, the other root is r — si, and over the complex 
numbers the polynomial must factor as (z — (r + si))(z — (r — si)) =z” — 2rz+r* +7. The 
z-coefficients, a = 2r and b = r? + s?, are integers. Then r = a/2 and s? = (4b — a”)/4, which 
shows that s = c/2 for some integer c. Multiplying by 4, we have a” + c? = 0 (mod 4), which can 
be true only if both a and c are even; hence, r and s are integers and r + si is a Gaussian integer. 


Let 8 =1+ 2i so that N($) =S. From the proof of the Division algorithm, we have for a 
Gaussian integer a that there exist Gaussian integers y and p such thata = yf+ pe with 
N(e) < N(B)/2 =5/2. Therefore, the only possible remainders upon division by 1+ 2i are 
0, 1,i, 1+ 7 and their associates. Furthermore, we can always replace a remainder of 1 + i with 
a remainder of —1 because a = By + (1+ i) =AB(v+)D+(1+4+i) —(4+2i) = Biv +) —i. 
So we may take the entire set of remainders to be 0, 1, —1, i and —i. Consider dividing each of 
the Gaussian primes 7, ..., 24 by f. If any two left the same remainder p, then § divides the 
difference between the two primes. But all these differences are either 2 or +1 + i, which are not 
divisible by 8. Further, since these are all prime, none of the remainders are 0. Therefore, the 
remainders are exactly the set 1, —1, i, and —i. Now divide a + bi by f and let the remainder 
be p. If o is not zero, then it is one of 1, —1, i, or —i. But then one of 7, ..., 14 leaves the 
same remainder upon division by f, say x,. Then 6 divides m;, — (a + bi) which is a unit, a 
contradiction. Therefore, o = 0. Therefore, 1 + 2i divides a + bi. A similar argument shows that 
1 — 23 also divides a + bi. Therefore, the product of these primes (1 — 2i)(1+ 2i) = S also divides 
a + bi, and hence each of the components. Now suppose that b = 0. Then a + 1 are prime and by 
Exercise 23, a + 1 are odd. Therefore, one of them, say a + 1, is a prime congruent to 1 modulo 
4. By Theorem 13.5, there exist integers x, and y such thata + 1=x? + y? = (x + yi)(x — yi). 
Because a + 1 is prime, one of x + yi is a unit, which implies that one of x or y is zero, which in 
tum implies that a + 1 is a square. So in any case, one of a + 1is not a Gaussian prime. Therefore, 
b £0. Similarly, if we apply Exercise 26, we see that a 4 0. 


Taking norms of the equation a6 y = 1 shows that all three numbers must be units in the Gaussian 
integers, which restricts our choices to 1, —1, i, and —i. Choosing three of these in the equation 
a+ f8+y =1, wehave the possible solutions, up to permutation, (1, 1, —1), (1, 7, —i), but only 
the second solution works in the first equation, leaving (1, i, —i) as the only solution. 


Section 14.2 


1. 


Certainly 12, and 1|22. Suppose 6|2, and 6|22. Because x, and zz are Gaussian primes, 6 must 
be either a unit or an associate of the primes. But because z, and 77 are not associates, then they 
can not have an associate in common, so 4 is a unit and so 4|1. Therefore, 1 satisfies the definition 
of a greatest common divisor for 2, and 7. 


11. 


13. 


15. 


17. 


19. 
21. 


25. 
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. Because y is a greatest common divisor of a and 8, we have y|a and y|£, so there exist Gaussian 


integers yz and v such that wy = a@ and vy = B. So that wy = -y =a and vy=v-V= B; so 
that 7 is acommon divisor of a and B. Further, if 5|@ and 5|, then 5|a and 6|8, and so 5|y by the 
definition of greatest common divisor. But then 5/7 and 6 = 6, which shows that 7 is a greatest 
common divisor for @ and B. 


. Let ey, where € is a unit, be an associate of y. Because y|a, there is a Gaussian integer w such 


that wy = a. Because € is a unit, 1/e is also a Gaussian integer. Then (1/e)u(ey) =a, so ey|a. 
Similarly, ¢y|8. If 5|@ and 5|8, then 6|y by definition of greatest common divisor, so there exists 
a Gaussian integer v such that vd = y. Then evd = ey, and because €v is a Gaussian integer, we 
have dey, so €y satisfies the definition of a greatest common divisor. 


. Take (3 — 2i) and (3 + 2i), for example. 


. Because a and D are relatively prime rational integers, there exist rational integers m and n such 


that am + bn = 1. Let 6 be a greatest common divisor of the Gaussian integers a and b. Then 
6 divides am + bn = 1. Therefore, 5 is a unit in the Gaussian integers and hence a and b are 
relatively prime Gaussian integers. 


a. We have 44 + 18 = (12 — 161)(1+ 27) + 10i; 12 — 16i = (10i)(—2 — i) + 2+ 41); 

10i = (2 + 4i)(2 + i) + 0. The last nonzero remainder, 2 + 4, is a greatest common divisor. 

b. By part (a), 2+ 4i = (12 — 167) — (10i)(—2 — i) = (12 — 167) — (44 + 18) — (12 — 
16i)(1 + 27))(—2 — i) = (2+ 1) (44 + 187) + (14+ (14 27)(—2 — 1))(12 — 161) = 2+ 1)(444+ 
187) + (1 — 5i)(12 — 167). Take w = 2 +i and v =1—- ‘Si. 


We proceed by induction. We have Gp = i and G; = 1+ i. Because Go is a unit, these are relatively 
prime and this completes the basis step. Assume we know that G, and G;_, are relatively prime. 
Suppose 5|G; and 6|Gz44. Then 5|(Gz41 — Gy) = (Gy + Gy_1 — Gy) = Gy_1, so 6 is acommon 
divisor of G, and G;_;, which are relatively prime. Hence, 1 is a greatest common divisor of 
G k+1 and G k: 


Let k be the smallest rational integer such that N(w) < 2*. Dividing B = pp by a = p, in the first 
step of the Euclidean algorithm gives us B = ya + p> with N(p.) < N(a) < 2*—!. The next step 
of the Euclidean algorithm gives us a = y302 + 03 with N(p3) < N(p2) < 2*-?. Continuing with 
the algorithm shows us that N(p;) < 2*-&— = 2, so that the Euclidean algorithm must terminate 
in no more than k = [logy N(a)]+ 1 steps. And thus we have k = O(log,(N(q@)). 


a. (-I)(1— 2i1)(1—4i)  b. 3 — 138 = (-D (1 +:1)(54+ 81) & (—D0+1)4(7) 
d. i(1 + 1)8(1 + 2%)2(1 — 23)? 


a.48 b.120 ¢.1792  d. 2592 


Assume n and a + bi are relatively prime. Then there exist Gaussian integers and v such that 
pun + v(a + bi) = 1. If we take conjugates of both sides and recall that the conjugate of a rational 
integer is itself, we have in + V(a — bi) = 1, so n is also relatively prime to a — bi. Because 
a — bi is an associate of b + ai (multiply by i), we have the result. The converse is true by 


symmetry. 


. Suppose that 71, 72, ..., 7m, are all of the Gaussian primes and form the Gaussian integer 


OQ =7\07---2, + 1. From Theorem 14.10, we know that Q has a unique factorization into 
Gaussian primes, and hence is divisible by some Gaussian prime p. Then p|Q and p| 17 - - - m,, 
so p divides their difference, which is 1, a contradiction, unless p is a prime different from 
I}, 1, ..-, Mg, proving that we did not have all the Gaussian primes. 
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Because @ and are relatively prime, there exist Gaussian integers o and t such thatow + tu = 1. 
If we multiply through by f, we get Boa + Bty = 8, so that we now a(8o) = B (mod jz) and 
thus x = Bo (mod sz) is the solution. 


a,x =5—4i (mod 13) bx=1-—2i(mod4+i) cx=3i (mod2 + 3) 


Chinese Remainder Theorem for Gaussian Integers. Let 11, 2, ..., [Ly be pairwise relatively 
prime Gaussian integers, and let a,, a2, ..., a, be Gaussian integers. Then the system of 
congruences x = a; (mod w;), i= 1, ..., 7 has a unique solution modulo M = 412 -- - L,. 
Proof: To construct a solution, for each k= 1,..., 7, let M, = M/p,. Then M, and pr, 
are relatively prime, because jz, is relatively prime to all of the factors of M,. Then from 
Exercise 24, we linow M, has an inverse A, modulo jz, so that M,A; = 1 (mod p,). Now let 
x =a,M,A,+---+a,M,1,. We will show x is the solution to the system. 

Because 4,|M; whenever j # k, we have a ;M A; = 0 (mod x;,) whenever j # k. Therefore, 
x =a,M,A,; (mod p;) Also, because 1; is an inverse for M, modulo p;,, we have x = a, (mod j1;) 
for every k, as desired. 

Now suppose there is another solution y to the system. Then x = a, = y (mod pz), and so 
L4x|(x — y) for every k. Because the 1; are pairwise relatively prime, no Gaussian prime appears 
in more than one of their prime factorizations. Therefore, if a Gaussian prime power 2°|(x — y), 
then it divides exactly one of the z;,’s. Therefore, the product M of the j1;,’s also divides x — y, 
and so x = y (mod M), showing that x is unique modulo M. 

x =9+ 23i (mod 26 + 7i) 

a.{0,1} b.{0,1,i,1+i} oe. {0, 1, 2, 2i, -1—i, —i,1—i, -1+i,i,1+i, —2i, —2, —1} 
Leta = a+ bi andd = gcd(a, b). We assert that the set § = {p + gi|0 < p < N(a)/d, 0 <q <d} 
is a complete residue system. Note that this represents a rectangle of lattice points in the plane. 
We create two multiples of a. First, N(w)/d =a(@/d) is a real number and a multiple of a. 
Second, there exist rational integers r and s such that ra + sb =d.Sowe have the multiple of a 
given by v= © + ir)a = (s +ir)(@+ bi) = (as — br) + di. Now it is clear that any Gaussian 
integer is congruent modulo a to an integer in the rectangle S, because first we can add or subtract 
multiples of v until the imaginary part is between 0 and d — 1 and then add and subtract multiples 
of N(a)/d until the real part is between 0 and N(q@)/d — 1. It remains to show the elements of S 
are incongruent to each other modulo a. Suppose f and y are in S and congruent to each other 
modulo a. Then the imaginary part of 8 — y must be divisible by d, but because these must lie 
in the interval from 0 to d — 1, they must be equal. Therefore, the difference between £ and y is 
real and divisibly by a, hence by @ and hence by aa /d = N(a)/d, which proves they are equal. 
Because S has N(a) elements, we are done. 

a.{i, —i, 1,—-1}  b.{i, —i, 1,1+2i,2+i,2-—i,-1,-1+2i} e¢.{i,2—i, -2+i, -i,1,1+ 
2i, —1— 2i, —1} 

By the properties of the norm function and Exercise 37, we know that there are N (2°) = N(z)? 
residue classes modulo z°. Let t = r + si, and d = gcd(r, s). Also, by Exercise 37, a complete 
residue system modulo 7° is given by the rectangle S = {p + qi|0 < p < N(x°*)/d, 0< q < d}, 
while a complete residue system modulo z is given by the rectangle T = {p + qi|0 < p < 
N(x)/d, 0 < q < d}. Note that in T there is exactly one element not relatively prime to 7, and 
that there are N ()e—! copies of T, congruent modulo 7, inside of S. Therefore, there are exactly 
N(z)*~! elements in S not relatively prime to 2. Thus, there are N (1) — N(z)*~! elements in 
a reduced residue system modulo 7°. 

a. First note that because r + s./—5 is a root of a monic polynomial with integer coefficient, the 
other root must be r — s4/—S and the polynomial is (x — (r + s/—5))(x — (r — s/—5)) = 
x? — rx + (r? + 5s”) = x? — ax + b, where a and b are rational integers. Then r = a/2 
and 5s* = (4b — a*)/4, so that s =c/2 for some integer c. (Note that 5 cannot appear in 
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the denominator of s, or else when we square it, the single factor of 5 in the expression 
leaves a remaining factor in the denominator, which does not appear on the right side of 
the equation.) Substituting these expressions for r and s, we have (a/2)* + 5(c/2)? = b”, 

or upon multiplication by 4, a? + 5c? = 4b? = 0 (mod 4), which has solutions only when 

a and c are even. Therefore, y and s are rational integers. b. Leta =a+ b./—5 and 
B=c+d/-—S. Thena + B=(a+c) + (b+ d)J/—5 and a — B = (a—c)+ (b—d)J/-5S, 
and aB = (ac — 5bd) + (ad + bc)./—5. Because the rational integers are closed under addition, 
subtraction, and multiplication, all of the results are again of the form p + qv—5 with p 
and q rational integers. c. yes, no d. Let w=a+bJ/—5 and B=c+dJ/-—S. Then 
N(a)N() = (a2 + 5b?) (c? + 5d?) = a2c? + 5a2d? + 5b*c? + 25b7d?. On the other hand, a6 = 
(ac — 5bd) + (ad + bc)./—5 and N((ac — Sbd) + (ad + bc)./—5) = (ac — Sbd)? + 5(ad + 
bc)? = a*c? — 10acbd + 25b2d? + 5(a*d? + 2adbc + b?c?) = a*c? + Sa2d? + Sb2c? + 25b*d?, 
which is equal to the expression above, proving the assertion. _ e. If € is a unit in Z[/—5], then 
there exists an 7 such that €7 = 1. From part (d), we have N(€n) = N(€)N(n) = N(1) = 1, so 
N(e) = 1. Suppose € = a + b./—5, then N(€) =a? + 5b? = 1, which shows that b = 0, and hence 
a* = 1, so that we now a = +1. Therefore, the only units are 1 and —1. f. If an integer a in 
Z[./—5] is not a unit and not prime, then it must have two non-unit divisors 6 and y such that 
N(B)N(y) = N(q). To see that 2 is prime, note that a divisor B = a + b./—5 has norm a? + 5b”, 
while N (2) = 4, which forces b = 0. If 6 is not a unit, then a = +2, but then this forces y to be 
a unit; hence 2 is prime. To see that 3 is prime, we seek divisors of N(3) = 9 among a? + 5b”. 
We see that b can be only 0 or +1, or else the norm is too large. And if b = +1, then the only 
possible divisor is 9 itself, forcing the other divisor to be a unit. If b = 0, then a = +3, and hence 
3 is prime. To see that 1+ /—5 is prime, note that its norm is 6. A divisor a + bi can have 
b take on the values 0 and +1, else the norm is too large. If b = 0, then a’|6 a contradiction, 
so b = +1. But then (a? + 5)|6, forcing a = +1. But N(+1+ /—5) =6, so the other divisor 
is a unit, and so 1+ V5 is also prime. Note then that 2 - 3 = 6 and (1 — /—5)(1+ /—5) =6, 
so that we do not have unique factorization into primes in Z[/—5]. g. Suppose y and p 
exist. Note first that (7 — 2,/—5)/(1 + /—5) = —1/2 — 3/2/—5, so p £0. Let y =a + b/—5 
and p =c+d/-—5. Then from 7 — 2./—5 = (1+ /—5)(a+ b/—5) + (c+ dJ/—5) = (a —- 
5b+c)+(a+b+d)/-—5, we get 7=a —5b+c and —-2=a+b-+4 d. If we subtract the 
second equation from the first, we have 9 = —6b+c-—d or c—d=6b+9. Therefore, 

3|lc — d, and because p #0, c — d #0, so |c — d| > 3. We consider N(p) = c* + 5d”. If 

d =O, then N(p) >c? > 3? > 6. If d= +1, then |c| > 2 and N(p) =c? + 5d? >445>6. 
If |d| > 2, then N(p) > 5d* >5-2%=20>6, so in every case the norm of ¢ is greater 
than 6. So no such y and p¢ exist, and there is no analog for the division algorithm in 
Z[./—5]. hh. Suppose w = a + b./—5 and v =c + dJ/—5S is a solution to the equation. Then 
3(a + b/—5) + (1+ J/—5)(c + dV/—5) = (3a + c — Sd) + (3b + ¢ + d)/—5 = 1. So we must 
have 3a + c — 5d = 1 and 3b + c+ d=0. If we subtract the second equation from the first, we 
get 3a — 3b — 6d = 1, which implies that 3|1, an absurdity. Therefore, no such solution exists. 


Section 14.3 
1a8 b8 ¢«O d.16 


3. We first check that a greatest common divisor 5 of a and # divides y, otherwise no solution 
exists. If a solution exists, we use the Euclidean algorithm and back substitution to express 5 as 
a linear combination of a and 8: a + Bv = 4. Because 6 divides y, there is a Gaussian integer 
n such that 6n = y. If we multiply the last equation by n, we have aun + Bun = dn = y, So we 
may take xp = wn and yo = v7 as a solution. The set of all solutions is given by x = x9 + Bt/6, 
y = Yo — at/5, where t ranges over the Gaussian integers. 
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5. a.nosolutions b. no solutions 


7. Leta =a+ bi. Then N(a) = a*+b2= p, and by Theorem 14.5, we know that a and @ are 
Gaussian primes. Similarly, if y = c + di, then y and y are Gaussian primes. By Theorem 14.10, 
a@ must be an associate of y or Y. Soa must equal one of the following: +c + di, +d + ci, and 
in any of these cases we must have a = +c and b = +d ora = +d and b = +c. Squaring these 
equations gives the result. 


9. Suppose x, y, z is a primitive Pythagorean triple with y even, so that x and z are necessarily odd. 
Then z” = x? + y? = (x +iy)(x — iy) in the Gaussian integers. If a rational prime p divides 
x + iy, then it must divide both x and y, which contradicts the fact that the triple is primitive. 
Therefore, the only Gaussian primes that divide x + iy are of the form m + in with n £ 0. 
Also, if 1+ i|x +iy, then we have the conjugate relationship 1 — i|x — iy, which implies that 
2 = (1—i)(1 +i) divides z”, which is odd, a contradiction. Therefore, we conclude that 1 + i does 
not divide x + iy, and hence neither does 2. Suppose 4 is a common divisor of x + iy and x — iy. 
Then 6 divides the sum 2x and the difference 2iy. Because we know that 2 is not a common factor, 
6 must divide both x and y, which we know are relatively prime. Hence, 6 is a unit and x + iy 
and x — iy are also relatively prime. Then we know that every prime that divides x + iy is of the 
form zm =u + iv, and so 7 =u — iv divides x — iy. Because their product equals a square, each 
factor is a square. Thus, x + iy =(m+i n)? and x — iy = (m — in)” for some Gaussian integer 
m + in and its conjugate. But then x + iy =m? — n? + 2mni, sox =m? — n? and y = 2mn. And 
22 = (m + ni)?(m — ni)? = (m2 + n?)*, so z = m2 +n”. Further, if m and n were both odd or 
both even, we would have z even, a contradiction, so we may conclude that m and n have opposite 
parity. Finally, having found m and n that work, if m <n, then we can multiply by i and reverse 
their roles to get m > n. The converse is exactly as in Section 13.1. 


11. By Lemma 14.3, there is a unique rational prime p such that 2|p. Leta =a + bi and consider 3 


cases. 

Case 1: If p = 2, then z is an associate of 1+ i and N(z) — 1= 1. Since there are only 
two congruence classes modulo 1+ i and since a and 1+ i are relatively prime, we have 
aN@)-1 — yw = 1 (mod 1+i). 

Case 2: If p = 3 (mod 4), then z and p are associates and N(z) — 1= p* — 1. Also (—i)? = 
—i. By the binomial theorem, we have a? = (a + bi)? =a? + (bi)? = —ib? =a —bi=a 
(mod p), using Fermat’s little theorem. Similarly, @? =a (mod p), so thata” =a? =a (mod p), 
and since p = x anda and z are relatively prime, we have a )—! = 1 (mod p). 

Case 3: If p = 1 (mod 4), then rz = p, i? =i, and N(x) — 1= p — 1. By the Binomial 
theorem, we have a? = (a+ bi)? =a? + (bi)? =a+ bi =a (mod p), using Fermat’s little 
theorem. Cancelling an a gives us w?—! = 1 (mod p), and because 2|p, we have aN™)-! = 1 
(mod zr), which concludes the proof. 


13. Let x be a Gaussian prime. If a? = 1 (mod z), then z|a? — 1= (a — 1)(a + 1), so that either 


a =1 or a =-—1 (mod 2). Therefore, only 1 and —1 can be their own inverses modulo z. 

Now let a; = 1, @,..., @,_1, &, = —1 be a reduced residue system modulo z. For each a;, 

k=2,3,...,7 — 1, there is a multiplicative inverse modulo x a such that 0,007 = 1(mod z). If 

we group all such pairs in the reduced residue system together, then the product is easy to evaluate: 

010g + + +, = 1(a2@4) (ar3014) - - - (@,_1)(@,_,)(—1) = —1 (mod 7), which proves the theorem. 
Appendix A 


1. aa(b+c)=(b+c)a=bat+ca=abt+ac b. (a+b)? =(at+b)a+b)=aa+b)t+ 
b(a+b)=a2+ab+ba+b*=a2+2ab+b? caat+(b+c)=a4+(c+b)=(at+ce)+b= 
(cta)+b d.(b-a)+(c—b)+(a-c)=(-a+b)+(-b+c)+(-ct+ta)=-a+(b- 
b)+(c—c)+a 
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. By the definition of the inverse of an element, 0 + (—0) = 0. But because 0 is an identity element, 


we have 0 + (—0) = —0. It follows that —0 = 0. 


. Let x be a positive integer. Because x = x — 0 is positive, x > 0. Now let x > 0. Then x —-0=x 


iS positive. 


. We have a —c=a+(—b+)) —c=(a—b) + (b—c), which is positive from our hypothesis 


and the closure of the positive integers. 


. Suppose that there are positive integers less than 1. By the well-ordering property, there is a 


least such integer, say, a. Because a < 1 anda > 0, Example A.2 shows that a” = aa < la =a. 
Because a? > 0, it follows that a? is a positive integer less than a, which is a contradiction. 


Appendix B 


1. 


11. 


13. 


15. 


17. 
19. 


a. We have (10°) = 100!/(0!100!) =1. _b. We have (°’) = 50!/(1!49!) =50. _c. Wehave (*?) = 
20!/(3!17!) = 1140. d. Wehave (/) = 11!/(5!6!) = 462. e. Wehave ('?) = 10!/(7!3!) = 120. 
f. We have (72) = 70!/(70!0!) = 1. 


. a a> + Sa*b + 10a3b* + 10a2b3 + Sab4+ b> b. x!9 4 10x9y + 45x8y? + 120x7y3 + 


210x®y4 + 252x>y> + 210x4y® + 120x3y7 + 45x2y8 + 10xy9 + y!9 em? — Tm®n + 
21m>n2 — 35m4n3 + 35m3n* — 21m2n3 ++ 7Imn® — nn? d. 16a* + 96a3b + 216a2b? + 216ab3 + 
81b4 ee. 243x9 — 1620x*y + 4320x3 y? — 5760x7y3 + 3840xy4 — 1024y>_— f. 390625x8 + 
4375000x7 + 21437500x® + 60025000x> + 105043750x* + 117649000x3 + 82354300x2 + 
32941720x + 5764801 


. On the one hand, (1+ (—1))” =0" =0. On the other hand, by the binomial theorem, 


nm o(— DE") = 1+ (- DY". 


(OG) =2V/C!a —r))-rVRIG —/))Hnln-—HVRln—k/)in—-r)\n-k-n+r))= 


(1) (as) 


. We fix r and proceed by induction on n. It is easy to check the cases whenn =r andn=r + 1. 


Suppose the identity holds for all values from r ton — 1. Then consider the sum (”) + ("F1) +. «+ 


r 
(")=(a)+ (() + C)) + ((?) + (*4)) tere ("7") + Cz), where we have used 
(") = ((<}) and Pascal’s identity. Regrouping this sum gives us (( TD) +0.) te + js) a 


r 


r r r 


(i) + ey) = (ae) which concludes the induction step. 


Using Exercise 10, (*) + (, tp = XV —n))+x/(n+ Dia —n- DYN =! + 
1))/(a + DIG —n)!) + ala — n))/(n + +)'@—-—n))=@!@ —n+n4+)))/(2t+ DIG - 
ny!) =(x + DY (n+ Di! — n)) = GF) 

Let S bea set of n copies of x + y. Consider the coefficient of x* y”—* in the expansion of (x + y)". 
Choosing the x from each element of a k-element subset of S, we notice that the coefficient of 
x*yn—k is the number of k-element subsets of S, (7). 


(¢ y+(" ia) He dsdside (.)): By our induction hypothesis, these two sums are equal to 


By counting elements with exactly 0, 1, 2, and 3 properties, we see that only elements with 0 
properties are counted inn — [n(P,) + n(Pz) + n(P3)]+ [n(P), Po) +n(P), P3) +n(Po, P3)] —- 
[n(P;, Po, P3)], and those only once. 


! 


A term of the sum is of the form ax\!x¥? vee xan where ki + kp +--- +k, =nanda= Ae a 
56133000000 
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Decryption, 292 

Decryption key, for RSA cipher, 326 


Deficient integer, 267 
Definition, recursive, 26 
de Polignac, A., 91 
Derivative of a polynomial, 173 
Descent, proof by, 535 
Deterministic algorithm, 76 
Diabolic square, 187 
Diagonal, 
negative, 187 
positive, 187 
Diagram, Ferrers, 279 
Diffie, W., 338 
Diffie-Hellman key exchange, 338-339 
Digit, 45 
Digit, check, 209 
Digital signature, 339-340 
Digital Signature Algorithm (DSA), 
407 
Digraphs, 
frequencies of, 308-309 
Digraphic cipher, 305 
Diophantine approximation, 8 
Diophantine equation, 137 
linear, 137 
nonlinear, 522-572 
Diophantine geometry, 526 
Diophantus, 8, 128, 137, 541 
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for the progression 4n + 3, 118 
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for the progression 8n + 3, 427 
for the progression 8n + 5, 427 
for the progression 8n + 7, 427 
Discrete exponential generator, 401 
Discrete logarirthm, 368-369 
Discrete logarithm problem, 372 
Distribution of primes, 79-90 
gaps in, 86 
Distributive law, 605 
Divide, 36, 580 
exactly, 121 
Dividend, 37 
Divisibility, 36-37 
of Gaussian integers, 580 
Divisibility tests, 191-194 


Division, 36—37 
algorithm, 37, 583-584 
complexity of, 66 
trial, 74, 127 
Division algorithm, 37 
for Gaussian integers, 583-584 
modified, 41, 111 
Divisor, 37 
greatest common, 39, 93-98 
DNA computing, 324 
Double hashing, 205 
Double Mersenne number, 268 
Dozen, 60 
Draim factorization, 135 
Dummy variable, 16, 20 
Duodecimal notation, 60 
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convergent fraction of, 501 
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Eisenstein prime, 598 
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Elements (Euclid), 70, 102 
ElGamal, T., 402 
ElGamal cryptosystem, 402-405 
signing messages in, 40S—407 
Elliptic curve, 568 
addition of points on, 568-570 
doubling formula, 570-571 
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Elvenich, Hans-Michael, 264 
Enciphering, 292 
Encryption, 292 
Encryption key, 292 
for RSA cipher, 323 
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End of the world, 28 
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Bachet, 540 
diophantine, 137 
Fermat’s, 3, 530 
Markov’s, 542 
Pell’s, 553-557 
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Eratosthenes, 71, 72 
Eratosthenes, sieve of, 71—72 
Erdés, Paul, 29, 81, 82, 87 
Euclid, 70, 71, 78, 102 
game of, 111 
Euclidean algorithm, 102-107, 481-483 
complexity of, 105—107 
extended, 108-109 
for Gaussian integers, 591 
Euler, Leonhard, 78, 88, 96, 135, 219, 234, 
235, 261, 277, 283, 284, 286, 350, 
415, 430, 431, 506, 531, 537, 542, 
546, 555, 560, 574 
collected works, 235, 443, 560 
Euler-Mullin sequence, 78 
Euler parity theorem, 283 
Euler phi-function, 234, 239-245, 634 
formula for, 242 
multiplicativity of, 241 
Euler pseudoprime, 453 
Euler’s criterion, 418 
Euler’s factorization, 135 
Euler’s method, 135 
Euler’s partition formula, 286 
Euler’s pentagonal number theorem, 284 
Euler’s theorem, 236—237 
Gaussian integers, analogue for, 604 
Euler’s version of quadratic reciprocity, 
431-4372, 441 
Even number, 39 
Everything, 522 
Exactly divide, 121 
Expansion, 
balanced ternary, 50 
base b, 48, 469 
binary, 48 
binary coded decimal, 51 
Cantor, 52 
continued fraction, 482 
decimal, 48 
hexadecimal, 48 
periodic base b, 473 
periodic continued function, 503-515 
terminating base b, 473 
+1-exponent, 408 
Experimentation in number theory, 3 
Exponent, 
minimal universal, 386 
universal, 386 
Exponentiation, modular, 151-152 
Exponentiation cipher, 318-321 
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Factor, 36 
Factor base, 520 
Factor table, 627-633 
Factorial function, 20, 26 
Factorization, 112-118, 127-131, 187-189, 
221-222, 517-519 
Draim, 135 
Euler, 135 
Fermat, 128, 130-131 
of Fermat numbers, 132-133 
Pollard p — 1, 221-222 
Pollard rho, 187-189 
prime-power, 113 
speed of, 127-130 
using continued fractions, 518-519 
Failure of unique factorization, 114, 121 
FAQs, 
cryptography, 625 
mathematics, 625 
prime, 624 
Farey, John, 100 
Farey series, 101 
Fefferman, Charles, 87 
Fermat, Pierre de, 128, 130, 131, 219, 521, 
530, 542, 546, 554, 560, 563 
Fermat equation, 3, 530 
Fermat factorization, 130-131 
Fermat number, 131-133, 340, 414 
factorization of, 625 
Fermat prime, 131 
Fermat quotient, 224 
generalized, 390 
Fermat-Catalan conjecture, 537-538 
Fermat’s last theorem, 106, 418, 530— 
536 
history of, 531-534 
proof for n = 3, 531 
proof for n = 4, 535-536 
Fermat’s Last Theorem, the Mathematics of, 
600 
Fermat’s little theorem, 219 
Gaussian integers, analogue for, 604 
Lucas’s converse of, 379 
Ferrers, Norman, 279, 280 
Ferrers diagram, 279 
Fiat-Shamir method, 465 
Fibonacci, 30, 560, 563, 565 
Fibonacci, generator, 400 


Fibonacci numbers, 30-33, 104-105, 340, 
490, 624 
explicit formula for, 33 
Gaussian, 587 
generalized, 35 
growth of, 32-33 
with negative indices, 35 
Fibonacci pseudorandom number generator, 
400 
Fibonacci Quarterly, 33 
Fibonacci sequence, 30 
Field’s medal, 81, 87 
Finding primes, 71 
Findley, Josh, 263 
Flaw in Pentium chip, 86, 89 
Flipping coins electronically, 425 
Floor function, 7 
Formula, 
Euler’s partition, 286 
for primes, 74 
for sum of terms of a geometric series, 18 
for terms of a sequence, 11 
Fortune, R. F., 78 
Four squares, sums of, 218, 541, 545-548, 
532-535 
Fowls, 143 
Fractals, 384 
Fraction, 
continued, 481-519, 640 
Egyptian, 29 
unit, 29 
vulgar, 101 
Fractional part, 8, 469 
Franklin, Fabian, 284 
Frauds, 258 
Frénicle de Bessy, Bernard, 219 
Frequencies, 
of letters 295-296, 
of digraphs, 308 
of polygraphs, 309 
Frequency, 278 
Frequently Asked Questions, 
of letters 295-296, 
of digraphs, 308 
of polygraphs, 309 
Friedman, William, 303 
Frey, Gerhard, 532 
Function, 
absolute value, 9 
additive, 248 
arithmetic, 240 


ceiling, 7 
completely additive, 248 
completely multiplicative, 240 
Euler phi,234, 239-245, 634 
factorial, 20, 26 
floor, 7 
generating, 35-36, 281 
greatest integer, 7 
hashing, 204 
t, 247 
Li, 79, 81 
Liouville’s, 247 
Mangoldt, 276 
Mertens, 276 
Mobius, 270-271 
mod, 147 
multiplicative, 240 
number of divisors, 250 
w, 248 
partition, 278 
m, 72, 77, 223 
1, 92 
rad, 125, 538-539 
Riemann zeta, 80 
Smarandache, 125 
strongly multiplicative, 247 
sum of divisors, 249 
summatory, 250 
zeta, 80 
Fundamental theorem of arithmetic, 112 


Gage, Paul, 262 
Game, 
of Euclid, 111 
of nim, 52 
Gaps, 
between consecutive primes, 86 
in distribution of primes, 84 
Gauss, Karl Friedrich, 73, 79, 84, 106, 134, 
145, 146, 348, 350, 420, 431, 433, 
531, 579 
Gauss’ generalization of Wilson’s theorem, 
224 
Gauss’ lemma, 420 
Gaussian integers, 577-603 
associates, 581 
Chinese remainder theorem for, 596 
congruence of, 587 
divisibility of, 579-580 
division algorithm for, 583-585 
Euclidean algorithm for, 591 
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Euler’s theorem for, 604 
Fermat’s little theorem for, 604 
greatest common divisor of, 599 
Maple, working with, 618 
unique factorization for, 592-594 
units of, 581 
Wilson’s theorem for, 604 
Gaussian Fibonacci sequence, 587 
Gaussian moats, 588 
Gaussian prime, 581-582 
Generalized Fermat quotient, 390 
Generalized Fibonacci number, 35 
Generalized pentagonal numbers, 286 
Generalized Riemann hypothesis, 75, 231 
Generals, Chinese, 168 
Generating function, 34, 281 
Genghis Khan, 163 
Geometric mean, 29 
Geometric progression, 10 
sum of terms, 17-18 
Geometric series, 
sum of infinite, 469-470 
sum of terms of, 17-18 
Geometry, diophantine, 526 
Germain, Sophie, 75, 531 
Gerstenhaber, M., 431 
GHCQ, 325 
Gillies, Donald, 262 
GIMPS, 262-265, 624 
Goldbach, Christian, 88 
Goldbach’s conjecture, 88 
Goldston, Daniel, 86 
Government Communications Headquarters, 
325 
Great Intemet Mersenne Prime Search, 
262-265, 624 
Greatest common divisor, 39, 93-99 
algorithms for, 103-109, 110, 111 
finding using prime factorizations, 
114-115 
of Gaussian integers, 589-592 
as least positive linear combination, 
94-97, 107-109 
of more than two integers, 98 
of two integers, 39 
using to break Vigénere ciphers, 302 
Greatest integer function, 7 
Greeks, ancient, 19, 69, 70, 256 
Green, Ben, 87 
Green-Tao theorem, 87 
Gregorian calendar, 197-198 
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Hadamard, Jacques, 79, 80 
Hajratwala, Nayan, 263 
Hanoi, tower of, 28 
Hardy, G. H., 2, 78, 92, 254, 278 
Harmonic series, 27 
Haros, C., 101 
Hashing, 204—206 

double, 205—206 

function, 204 

quadratic, 429 
Hashing function, 202 
Hastad broadcast attack, 328, 330 
Hellman, M. E., 318, 324, 333 
Hensel, Kurt, 173 
Hensel’s lemma, 173 
Heptadecagon, 146 
Heptagonal number, 21 
Heron triangle, 574 
Hex, 48, 49 
Hexadecimal notation, 48, 49 
Hexagonal number, 21 
Highly composite, 253 
Hilbert, David, 122, 478 
Hilbert prime, 121 
Hill, Lester S., 305, 306 
Hill cipher, 305—309 
Home team, 203 
House of Wisdom, 57 
Horses, same color, 28 
Hundred fowls problem, 143 
Hurwitz, Alexander, 262 
Hyperinflation, 534 
Hypothesis, Riemann, 83 
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IBM 7090 computer, 262 
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Bezout, 95—96 
Rogers-Ramanujan, 287 
Identity elements, 605 
ILLIAC, 262 
Inclusion-exclusion, principle of, 77, 
613-614 
Incongruent, 145 
Index arithmetic, 368—371 
Index of coincidence, 303 
Index of an integer, 368, 636-639 
Index of summation, 16 
Index system, 377 


Indices, 368, 636-639 
Induction, mathematical, 23-27 
Induction, strong, 25 
Inductive step, 23 
Inequality, Bonse’s, 91 
Infinite continued fraction, 491 
Infinite descent, 531, 535 
Infinite simple continued fraction, 491 
Infinitude of primes, 70-71, 76, 101, 102, 
124, 125, 133-134 
Initial term of a geometric progression, 10 
Integer, 6 
abundant, 267 
composite, 70 
deficient, 267 
Eisenstein, 597 
Gaussian, 579 
k-abundant, 267 
k-perfect, 267 
order of, 347-348 
palindromic, 195 
powerful, 120 
rational, 579 
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square-free, 120 
superperfect, 268 
Integers, 6 
Gaussian, 579 
most wanted, ten, 133 
Intel, 86, 89, 266 
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325 
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International Standard Serial Number, 
215 
Internet, 239, 261, 624 
Interpolation, Lagrange, 359 
Inverse, additive, 605 
Inverse of an arithmetic function, 247 
Inverse of a matrix modulo m, 178 
Inverse modulo m, 182 
Inversion, Mobius, 272-274 
Involutory matrix, 185 
Irrational number, 6, 118-119 
quadratic, 503-506, 579 
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Iterated knapsack cipher, 336 
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reciprocity law for, 446-447 
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Julius Caesar, 197, 292 
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Kaprekar, D. R., 53 
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Kasiski, F., 302 
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Kayal, N., 75 
Key, 292 
agreement protocol, 338 
common, 338-339 
decryption, 292 
encryption, 292 
exchange, 338-339 
for hashing, 204 
master, 342 
public, 322 
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Keystream, 310 
Knapsack ciphers, 331-336 
weakness in, 335 
Knapsack problem, 334 
multiplicative, 336-337 
Knuth, Donald, 62, 63 
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Kronecker, Leopold, 174, 434, 451, 
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kth power residue, 372 
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506-507, 531, 542, 546, 549, 555 
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Lagrange’s theorem 
on continued functions, 506—507 
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Lamé, Gabriel, 105, 106, 531 
Lamé’s theorem, 105—106 
Landau, Edmund, 62, 89-90 
Largest known primes, 73-74 
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Law, 
associative, 605 
cancellation, 605 
commutative, 605 
distributive, 605 
trichotomy, 606 
Law of quadratic reciprocity, 418, 430-438 
Leap year, 197 
Least common multiple, 
finding using prime factorizations, 116 
of more than two integers, 123 
of two integers, 116 
Least nonnegative residue, 147 
Least nonnegative residues, 148 
Least positive residue, 147 
Least primitive root for a prime, 358 
Least-remainder algorithm, 111 
Leblanc, M. (pseudonym of Sophie 
Germain), 531 
Legendre, Adrien-Marie, 79, 417, 418, 531 
Legendre conjecture, 89-90 
Legendre symbol, 417 
Lehmer, Derrick, 249, 259, 518 
Lehmer, Emma, 262 
Lemma, 
Gauss’s, 420 
Hensel’s, 173 
Thue’s, 551 
Lemmermeyer, Franz, 431 
Lenstra, Arjen, 130 
Lenstra, H., 75 
Letters, frequencies of, 295—296 
Lifting solutions, 173 
Linear combination, 94 
greatest common divisor as a, 94-97, 
107-109, 110 
Linear congruence, 157 
Linear congruences, systems of, 162, 178 
Linear congruential method, 395-396 
Linear diophantine equation, 137 
in more than two variables, 140 
nonnegative solutions, 142 
Linear homogeneous recurrence relation, 33 
Liouville, Joseph, 247, 248, 476 
Liouville’s function, 247 
Little theorem, Fermat’s, 219 
Littlewood, J. E., 78, 84, 92, 254 
Lobsters, 142, 169 
Logarithm, discrete, 368 
Logarithmic integral, 79 
Logarithms modulo p, 368 
Lowest terms, 94 
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Lucas, Edouard, 30, 34, 259, 261, 379 

Lucas converse of Fermat’s little theorem, 
379 

Lucas numbers, 34 

Lucas-Lehmer test, 259-260 

Lucifer, 310 

Lucky numbers, 77 


MacMahon, Percy, 286 
MacTutor History of Mathematics Archives, 
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MAD Magazine, 63 
Magic square, 186 
Mahavira, 141 
Mangoldt function, 276 
Manhattan project, 15 
Maple, 615-619 

Gaussian integer package, 618 
Markov’s equation, 542 
Master key, 342, 359 
Master Sun, 162 
Mathematica, 619-623 
Mathematical induction, 23-26 

origins of, 24 

second principle, 25 
Mathematics, Prince of, 146 
Matrices, congruent, 180-181 
Matrix, involutory, 185 
Matrix multiplication, 67 
Maurolico, Francesco, 24 
Maximal +1-exponent, 408 
Mayans, 45 
Mean, 

arithmetic, 29 

geometric, 29 
Merkle, R. C., 333 
Mersenne, Marin, 128, 258 
Mersenne numbers, 258, 428 

double, 268 
Mersenne primes, 73-74, 258-266, 382, 396, 

428, 624 

search for, 261—265, 624 
Mertens, Franz, 274 
Mertens conjecture, 276 
Mertens function, 274, 276 
Message expansion factor, 403 
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Kasiski’s, 302 

Monte Carlo, 187 
Method of infinite descent, 531, 535 
Middle-square method, 394 
Mihailescu, Preda, 537 


Miller’s test, 228-229, 373 
Mills, W. H., 74 
Mills formula, 74 
Minimal universal exponent, 386 
Minims, order of the, 258 
Minimum-disclosure proof, 461-462 
MIPS-years, 129 
Moats, Gaussian, 588 
Mobius, A. F., 271 
Mobius function, 270-271 
Mobius inversion, 272—274 
Mobius strip, 271 
Modified division division, 41 
Modular arithmetic, 148 
Modular exponentiation algorithm, 151-152 
complexity of, 152-153 
Modular inverses, 159 
Modular square roots, 423-424 
Modulus, 145 
Monkeys, 156, 168 
Monks, 28 
Monographic cipher, 292 
Monte Carlo method, 15, 187 
Morrison, M. A., 518 
Most wanted integers, 133 
Mr. Fix-It, 87 
Multinomial coefficient, 614 
Multiple, 36 
least common, 116 
Multiple precision, 55 
Multiplication, 
algorithm for, 57 
complexity of, 64-65 
matrix, 67 
Multiplicative function, 239, 240 
Multiplicative knapsack problem, 336-337 
Mutually relatively prime, 98 
Mysteries of the universe, 301 
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Nickel, Laura, 262 
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Nim, 52 
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Nonresidue, quadratic, 416 
Norm, 121 

of complex number, 578 
Notation, 

Arabic, 30, 56 
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big-O, 61 p-adic, 173 
binary, 48 pseudorandom, 393-398 
binary coded decimal, 51 random, 393 
decimal, 48 ten most wanted, 133 
duodecimal, 60 Number of divisors function, 250, 634 
hexadecimal, 48 multiplicativity of, 251 
octal, 48 Number system, positional, 45 
one’s complement, 51 Number theory, definition of, 1 
product, 19-20 combinatorial, 277 
summation, 16-19 elementary, definition of, 3 
two’s complement, 51 Number Theory Web, 625 
NOVA, 534, 625 Numerals, Hindu-Arabic, 56 
NOVA Online—The Proof , 625 
Number, Octal notation, 48 
abundant, 267 Odd number, 39 
algebraic, 7 Odd perfect number, 266, 268 
Carmichael, 227, 228, 388-389 Odlyzko, Andrew, 84 
composite, 70 Oliveira e Silva, Tomas, 84 
congruent, 560 One-time pad, 311 
Cullen, 234 One-to-one correspondence, 11 
deficient, 267 One’s complement representation, 51 
double Mersenne, 268 Ono, Kenneth, 287 
even, 39 Operation, bit, 61 
everything is, 522 Orange, Prince of, 555 
Fermat, 131-133, 353, 414, 428 Order of an integer, 348 
Fibonacci, 30 Ordered set, 6, 606 
generalized Fibonacci, 35 Origin of, 
heptagonal, 21 mathematical induction, 24 
hexagonal, 21 the word “algebra,” 57 
irrational, 6 the word “algorithm,” 56 
k-abundant, 267 Origins of mathematical induction, 24 
k-perfect, 267 
Lucas, 34 Pad, one-time, 311 
lucky, 77 p-adic numbers, 173 
Mersenne, 258 Pair, amicable, 267 
most wanted, 133 Pairwise relatively prime, 98-99 
odd, 39 Palindromic integer, 195 
odd perfect, 266 Parameterization, 527 
pentagonal, 21 Parity check bit, 209 
perfect, 256 Parity theorem, Euler, 283 
pseudorandom, 393-398 Partial key disclosure attack on RSA, 328 
random, 15, 393 Partial quotient, 482 
rational, 6 Partial remainder, 59 
Sierpinski, 384 Partition, 277 
superperfect, 268 conjugate, 279 
t-congruent, 574 function, 278 
tetrahedral, 21 restricted, 278 
transcendental, 7, 452, 476-478 self-conjugate, 279 
triangular, 19, 20 unrestricted, 278 
Ulam, 15 Parts, aliquot, 268 
Numbers, Pascal, Blaise, 609--610 


lucky, 77 Pascal’s identity, 609 
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Pascal’s triangle, 610 Primality test, 71, 379-381 
Pell, John, 554 Pocklington’s, 381 
Pell’s equation, 553-558 probabilistic, 231, 459 
Pentagonal number, 21, 284 Proth’s, 382 
Pentagonal number theorem, Euler’s, 284 Prime, 
Pentagonal numbers, generalized, 286 in arithmetic progressions, 73 
Pentium, 54, 86, 89, 129, 262, 263, 266 definition of, 70 
Pepin’s test, 438-439 Eisenstein, 597 
Perfect number, 256, 266 Fermat, 131—132 
even, 256—257 Gaussian, 582 
odd, 266, 268 Hilbert, 121 
Perfect square, largest known, 73-74 
last two decimal digits, 135 Mersenne, 73-74, 258-266, 382, 396, 
modulo p, 416 428, 624 
Period, power, 91 
of a base b expansion, 474 relatively, 39 
of a continued fraction, 516 size of the nth, 84 
length of a pseudorandom number Sophie Germain, 75 
generator, 396 Wilson, 224 
Periodic base b expansion, 473 Prime number theorem, 79-83 
Periodic cicada, 122 Prime Pages, The, 624 
Periodic continued fraction, 503 Prime power, 91 
Perpetual calendar, 197—200 PrimeNet, 262, 266 
Phyllotaxis, 31 Prime-power factorization, 113 
x, 6, 499 using to find greatest common divisors, 
Pigeonhole principle 8,9 115 
Pintz, Janos, 86 using to find least common multiples, 116 
Pirates, 169 Primes, 
Plaintext, 292 in arithmetic progressions, 73 
Pocklington, Henry, 381 infinitude of, 70-71, 76, 101, 102, 124, 
Pocklington’s primality test, 381 125, 133-134 
Poker, electronic, 340-341, 429 distribution of, 79-90 
Pollard, J. M., 128, 129, 187, 221 finding, 71-72 
Pollard, formula for, 74 
p — 1 factorization, 221 gaps, 84-85 
rho factorization, 187—189 largest known, 73-74 
Polygon, regular, 134 primitive roots of, 357 
Polygraphic cipher, 300, 308 twin, 86 
Polynomial, cyclotomic, 276-277 PRIMES is in P, 75 
Polynomial congruences, solving, Primitive Pythagorean triple, 522, 536, 561 
171-177, 355-356 Primitive root, 350, 635 
Polynomial time algorithm, 75 Primitive root, 
Polynomials, congruence of, 156-157 method for constructing, 359 
Pomerance, Carl, 75, 129 modulo primes, 354-358, 635 
Positional number system, 45 modulo prime squares, 360-362 
Potrzebie system, 63 modulo powers of primes, 362—365 
Power, prime, 91 of unity, 276, 441 
Power generator, 401 Prince of Orange, 555 
Power residue, 372 Principle, pigeonhole, 8—9 
Powerful integer, 120 Principle of inclusion-exclusion, 77, 613-614 
Powers, R. E., 518 Principle of mathematical induction, 23-26 


Pre-period, 473 second, 25 


Private-key cryptosystem, 321 
Prize, 
for factorizations, 130 
for finding large primes, 265 
for proving the Riemann hypothesis, 83 
for settling Beal’s conjecture, 537 
Wolfskehl, 534 
Probabilistic primality test, 231, 459 
Solovay-Strassen, 459 
Probing sequence, 206 
Problem, 
coconut, 156 
congruent number, 560 
discrete logarithm, 368-369, 372 
hundred fowls, 143 
knapsack, 331 
multiplicative knapsack, 336-337 
Waring’s, 549 
Problems, Landau, 89-90 
Product, Dirichlet, 247 
Product cipher, 299 
Product notation, 19-20 
Progression, 
arithmetic, 10 
geometric, 10, 17-18 
Project, 
Cunningham, 133 
Manhattan, 15 
Proof, 
minimum-disclosure, 461—462 
primality, 74-75 
zero-knowledge, 461-462 
Property, 
reflexive, 146 
symmetric, 147 
transitive, 147 
well-ordering, 6, 606 
Proth, E., 382 
Proth’s primality test, 382 
Protocol, 
cryptographic, 338 
failure, 328 
key agreement protocol, 338 
Prover, in a zero-knowledge proof, 462 
Pseudoconvergent, 502 
Pseudoprime, 225—227 
Euler, 453-455 
strong, 229, 456 
Pseudorandom number generator, 393-399 
discrete exponential, 401 
Fibonacci, 400-401 
linear congruential, 395 
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middle-square, 394 

1/P, 480 

power, 401 

pure multiplicative, 396 

quadratic congruential, 402 

square, 397-398 
Pseudorandom numbers, 393-399, 480 
Ptolemy II, 72 
Public-key cipher, 321-323 
Public-key cryptography, 321-329, 402-403 
Public-key cryptosystem, 321-322 
Pulvizer, the, 102 
Pure multiplicative congruential method, 

396-397 

Purely periodic continued fraction, 511-512 
Puzzle,141, 143, 162 

jigsaw, 28 

tower of Hanoi, 28 
Pythagoras, 522 
Pythagorean theorem, 522 
Pythagorean triple, 522, 561 

primitive, 522, 524, 561, 603 
Pythagoreans, 522 


Quadratic character of —1, 419-420 
Quadratic character of 2, 421-422 
Quadratic congruential generator, 402 
Quadratic hashing, 429 
Quadratic irrationality, 504, 579 
reduced, 512 
Quadratic nonresidue, 416 
Quadratic reciprocity law, 418, 430-438 
different proofs of, 431 
Euler’s version of, 431-432 
Gauss’s proofs of, 431 
history of, 430-431 
proof of, 434-437, 441, 442 
Quadratic residue, 416 
Quadratic residues 
chain of, 429, 430 
consecutive, 428 
Quadratic residues and primitive roots, 417 
Quadratic sieve, 129 
Queen of mathematics, 146 
Quotient, 37 
Fermat, 224 
partial, 482 


Rabbits, 30 

Rabin, Michael, 329 

Rabin cryptosystem, 329, 429 

Rabin’s probabilistic primality test, 231 
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rad function, 125, 538-539 
Radix, 48 
Ramanujan, Smivasa, 253, 254, 286-287 
Ramanujan congruences, 287 
Random numbers, 15, 393 
Ratio, common, 10 
Rational integer, 579 
Rational number, 6 
Rational numbers, 

countability of, 11-12 
Rational point, 

on curve, 526 

on elliptic curve, 568 

on unit circle, 526-528 
Real number, base b expansion of, 469-471 
Real numbers, 

equivalent, 502 

uncountability of, 478-479 
Reciprocity law, 

for Jacobi symbols, 446-447 

quadratic, 418, 430-438 
Recurrence relation, 

linear homogeneous, 

35 

for the partition function, 286 
Recursive definition, 26—27 
Reduced quadratic irrational, 512 
Reduced residue system, 235 
Reducing modulo m, 147 
Reflexive property, 146 
Regular polygon, constructability, 134, 146 
Relatively prime, 39, 93 

mutually, 98 

pairwise, 98-99 
Remainder, 37 
Remainder, partial, 59 
Representation, 

one’s complement, 51 

two’s complement, 51 

Zeckendorf, 34 
Repunit, 195 

base b, 195 
Residue, 

cubic, 378 

kth power, 372 

least nonnegative, 147 

quadratic, 416 

system, reduced, 235 
Residues, 

absolute least, 148 

complete system of, 148 

reduced, 235 


Restricted partitions, 278 
Riemann, George Friedrich, 80, 83, 232 
Riemann hypothesis, 83 
Riemann hypothesis, generalized, 231 
Riesel, Hans, 262 
Right triangle, 
integer, 560 
rational, 560 
Rijndael algorithm, 310 
Rivest, Ronald, 324 
Robinson, Raphael, 262 
Rogers, Leonard James, 287 
Rogers-Ramanujan identities, 287 
Root, primitive, 350 
of unity, 276 
Root of a polynomial modulo m, 350 
Root of unity, 441 
primitive, 276, 441 
Roman numerals, 45 
Romans, 45 
Round-robin tournament, 202—203 
RSA cryptosystem, 323-328, 354, 390, 500, 
621, 625 
attacks on implementations of, 328-329 
cycling attack on, 354 
digital signatures in, 339-340 
Hastad broadcast attack on, 328,330 
partial key disclosure attack on, 328-329 
security of, 326-327 
Wiener’s low encryption exponent attack, 
328, 500-501 
RSA factoring challenge, 130 
RSA Labs, 130, 625 
cryptography FAQ, 625 
RSA-129, 129, 130 
RSA-130, 130 
RSA-140, 130 
RSA-155, 130 
RSA-200, 129, 130 
Rule for squaring an integer with final digit 5, 
60 
Rumely, Robert, 75 


Sarrus, P-F., 225 

Saxena, N., 75 

Scottish Cafe, 15 

Second principle of mathematical induction, 
25 

Secret sharing, 342-343 

Security of RSA, 326-327 

Seed, 395 

Selberg, A., 73,81 


Self-conjugate partition, 279 
Sequence, 10 
aliquot, 268 
Euler-Mullin, 78 
Fibonacci, 30 
formula for terms, 10 
integer, 11 
probing, 206, 429 
Sidon, 53 
spectrum, 14 
super-increasing, 332 
Series, 
Farey, 100 
harmonic, 27 
Set, 
countable, 11, 478 
ordered, 606 
uncountable, 11, 478 
well-ordered, 6 
Shadows, 342 
Shamir, Adi, 323, 324, 340, 463 
Sharing, secret, 342-343 
Shift transformation, 294 
Shifting, 57 
Shuffling cards, 224 
Sidon, Simon, 53 
Sidon sequence, 53 
Sierpifiski, Wactaw, 384 
Sierpinski number, 384 
Sieve, 
of Eratosthenes, 71-72 
number field, 129 
quadratic, 129 
Signature, digital, 339-340, 344-345, 
405-407 
Signed message, 339 
Simple continued fraction, 482 
Shafer, Michael, 263 
Sinning, 301 
Skewes, S., 84 
Skewes’ constant, 84 
Sloane, Neil, 11 
Slowinski, D., 262 
Smith, Edson, 264 
Sneakers, 324 


Solovay-Strassen probabilistic primality test, 


460 
Solving 
linear congruences, 157-160 
linear diophantine equations, 137-141 
polynomial congruences, 171-177 
Splicing of telephone cables, 411-412 
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Spread of a splicing scheme, 411 
Square, 
diabolic, 187 
magic, 186 
Square pseudorandom number generator, 
397-399 
Square root, modular, 423-424 
Square-free integer, 120 
Square-free part, 561 
Squaring an integer with final digit 5, 60 
Squares, sums of, 542-548, 599-602 
Stark, Harold, 260 
Strauss, E., 29 
Step, 
basis, 23 
inductive, 23 
Stream cipher, 310-311 
Stridmo, Odd. M., 264 
Strip, Mébius, 271 
Strong pseudoprime, 229, 373-376, 
454 
Strongly multiplicative function, 247 
Subexponential time, 128 
Substitution cipher, 293 
Subtraction, algorithm for, 56 
Subtraction, complexity of, 54 
Sum, telescoping, 18 
Sum of divisors function, 249, 634 
multiplicativity of, 251 
Summation, 
index of, 16 
notation, 16 
terms of a geometric series, 18 
Summations, 
properties of, 17 
Summatory function, 243 
of Mobius function, 270-271 
Sums of cubes, 549-550 
Sums of squares, 542-548, 599-602 
Super-increasing sequence, 332 
Superperfect integer, 268 
SWAC, 262 
Sylvester, James Joseph, 96, 266, 280 
Symbol, 
Jacobi, 443 
Kronecker, 451 
Legendre, 417 
Symmetric cipher, 321 
Symmetric property, 147 
System, index, 377 
System of congruences, 178-185 
System of linear congruences, 174-181 
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System of residues, 
complete, 148 
reduced, 235 


Table, 
factor, 627-633 
of arithmetic functions, 634 
of continued fractions, 640 
of indices, 636—639 
of primitive roots, 635 
Tao, Terrence, 87 
t-congruent number, 574 
Team, 
away, 203 
home, 203 
Telephone cables, 411-413 
Telescoping sum, 18 
Ten most wanted integers, 133 
Term, initial, of a geometric progression, 10 
Terminate, 472 
Terminating base b expansion, 472 
Test, 
divisibility, 191-194 
Kasiski, 302 
Lucas-Lehmer, 260 
Miller’s, 228—229 
Pepin’s, 438-439 
primality, 71-72, 74-75, 228-230, 
378-383, 460 
probabilistic primality, 228-230, 460 
Tewrahedral number, 21 
Theorem, 
Bezout’s, 95 
binomial, 610-611 
Chinese remainder, 162-163 
Dirichlet’s, 9, 73, 118, 497 
Euler parity, 283 
Euler’s, 234 
Euler’s pentagonal number, 284 
Fermat’s last, 530—536 
Fermat’s little, 219-220 
fundamental, of arithmetic, 112 
Gauss’s generalization of Wilson’s, 224 
Green-Tao, 87 
Lagrange’s (on continued fractions), 
506-507 
Lagrange’s (on polynomial congruences), 
355 
Lamé’s, 105-106 
prime number, 81 
Wilson’s, 217 
Threshold scheme, 342-343, 359-360 


Thue, Axel, 551 
Thue’s lemma, 551 
Tijdeman, R., 537 
Toumament, round-robin, 202—203 
Tower of Hanoi, 28, 259 
Transcendental number, 7, 452, 476-478 
Transformation, affine, 294, 316 
Transformation, shift, 294 
Transitive property, 147 
Transposition cipher, 316 
Trial division, 71, 127 
Triangle, 
Heron, 574 
Pascal’s, 609-610 
Pythagorean, 522 
right, integer, 560 
right, rational, 560 
Triangular number, 19, 20 
Trichotomy law, 606 
Trivial zeros, 83 
Tuberculosis, 62, 232, 254, 434 
Tunnell, J., 571-572 
Tuckerman, Bryant, 262 
Twin prime conjecture, 86 
Twin primes, 86 
asymptotic formula conjecture, 92 
application to hashing, 206 
Two squares, sums of, 542-545, 601-602 
Two’s complement representation, 51 


Ujjain, astronomical observatory at, 555 
Ulam, S. M., 15 
Ulam number, 15 
Uncountable set, 12, 15, 478-479 
Unique factorization, 112-114 
of Gaussian integers, 592-594 
Unique factorization, failure of, 114, 121, 
598 
Unit, in the Gaussian integers, 581 
Unit circle, 
rational points on, 526, 527 
Unit fraction, 29 
Unity 
primitive root of, 276, 441 
root of, 441 
Universal exponent, 386 
Universal product code, 213 
Unrestricted partitions, 278 
Uzbekistan, 57 


Vallé-Poussin, C. de la, 79, 81 
van der Corput, Johannes, 87 


Variable, dummy, 16, 20 

Vega, Jurij, 79 

Vegitarianism, 254 

Verifier, in a zero-knowledge proof, 462 

Vernam, Gilbert, 311 

Vernam cipher, 311 

Vigenére, Blaise de 300, 301, 312 

Vigenére cipher, 300-301 
cryptanalysis of, 302-305 

von Humboldt, Alexander, 434 

von Neumann, John, 394 


Wagstaff, Samuel, 133, 532 
Wallis, John, 554-555 
Waring, Edward, 217, 549 
Waring’s problem, 549 
Web, Number Theory, 625 
Web sites, 624-625 
Wedeniwski, Sebastian, 83 
Weights, 50, 169 
Well-ordered set, 6, 606 
Well-ordering property, 6, 606 
Welsh, Luke, 262 

Wiener, M., 328, 500-501 
Wiles, Andrew, 533-534 
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Wilson, John, 217 
Wilson prime, 224 
Wilson’s theorem, 217—218 
Gauss’ generalization of, 224 
Gaussian integers, analogue for, 604 
Winning move in game of Euclid, 111 
Winning position in nim, 52 
Wisdom, House of, 57 
Wolfskehl prize, 534 
Woltman, George, 262 
Word size, 54 
World, end of, 28 


Year end day, 201 
Year, leap, 197-198 
Yildrim, Cem, 86 


Zeckendorf representation, 34 
Zeller, Christian Julius, 200 
Zero-knowledge proof, 461-462 
Zeros, trivial, 83 

Zeta function, Riemann, 81, 83 
ZetaGrid, 83 

Ziegler’s Giant Bar, 63 
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[x] 


a|b 
afb 
(a, b) 


(apap_}--- 41a), 


O(f) 

(x) 

f(x) ~ g@) 
(Aja, ..., An) 
Fn 

min(x, y) 
max(x, y) 

[a, b] 

p* ||n 

[a}, a, ..., Ay] 
Fy 
a=b(modm) 


a £#b (mod m) 


Greatest integer, 7 
Summation, 16 

Product, 19 

Factorial, 20 

Fibonacci number, 30 
Divides, 37 

Does not divide, 37 

Greatest common divisor, 39 
Base b expansion, 48 

Big-O notation, 61 

Number of primes, 72 
Asymptotic to, 82 

Greatest common divisor (of n integers), 98 
Farey series of order n, 100 
Minimum, 115 

Maximum, 116 

Least common multiple, 116 
Exactly divides, 121 

Least common multiple (of n integers), 123 
Fermat number, 131 
Congruent, 145 
Incongruent, 145 

Inverse, 159 

Congruent (matrices), 180 
Identity matrix, 182 

Inverse (of matrix), 182 


Adjoint, 183 


h(k) Hashing function, 204 


o(n) Euler’s phi-function, 234 

yo Summatory function, 243 

d\n 

f *g Dirichlet product, 247 

A(n) Liouville’s function, 247 

a(n) Sum of divisors functions, 249 

T(n) Number of divisors function, 250 
M,, Mersenne number, 258 

p(n) Mobius function, 270 

p(n) partition function, 278 

E,(P) Enciphering transformation, 292 
D,(P) Deciphering transformation, 292 

K Keyspace, 292 

ord,, (2) Order of a modulo m, 348 

ind, (a) Index of a to the base r, 369 

A(n) Minimal universal exponent, 386 
Ag(n) Maximal +1—exponent, 409 

(<) Legendre symbol, 417 

(£) Jacobi symbol, 443 

(.C1C9C3...-)p Base b expansion, 471 

COis 4 Hey 4ea es WOE _h Periodic base b expansion, 473 

[93 4j, Ao, ..., An] Finite simple continued fraction, 482 
Cy = Pr/ Uk Convergent of a continued fraction, 485 
[a9; 41, 22, ...] Infinite simple continued fraction, 491 
[ap; @j,.-.,@An—1,4n;,---, AnaK_i] Periodic continued fraction, 503 

a’ Conjugate, 505 

N(z) Norm of complex number, 578 

Zz Complex conjugate, 578 


(") Binomial coefficient, 608 


